Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report TS Debugger.exe

Overview

General Information

Sample Name:TS Debugger.exe
Analysis ID:440454
MD5:3e829fb863de2e9dd877b9f9f426a7db
SHA1:40521cb203d7e29f532be9b501e4a14131daedf1
SHA256:31f79f2de34cbbe52b7b9a531adb45df3766a7bf82df76fa0731d0303c62e678
Infos:

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Bypasses PowerShell execution policy
Machine Learning detection for dropped file
Machine Learning detection for sample
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Non Interactive PowerShell
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • TS Debugger.exe (PID: 6460 cmdline: 'C:\Users\user\Desktop\TS Debugger.exe' MD5: 3E829FB863DE2E9DD877B9F9F426A7DB)
    • conhost.exe (PID: 5764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6708 cmdline: 'powershell.exe' -executionpolicy bypass -WindowStyle hidden -file 'TS_Debugger.ps1' MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Non Interactive PowerShell
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'powershell.exe' -executionpolicy bypass -WindowStyle hidden -file 'TS_Debugger.ps1', CommandLine: 'powershell.exe' -executionpolicy bypass -WindowStyle hidden -file 'TS_Debugger.ps1', CommandLine|base64offset|contains: ^rbzh'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\TS Debugger.exe' , ParentImage: C:\Users\user\Desktop\TS Debugger.exe, ParentProcessId: 6460, ProcessCommandLine: 'powershell.exe' -executionpolicy bypass -WindowStyle hidden -file 'TS_Debugger.ps1', ProcessId: 6708

Signature Overview

  • AV Detection
  • Compliance
  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Make-EXE0\TS_Debugger.exeReversingLabs: Detection: 10%
Multi AV Scanner detection for submitted file
Source: TS Debugger.exeVirustotal: Detection: 11%Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Make-EXE0\TS_Debugger.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: TS Debugger.exeJoe Sandbox ML: detected
Source: TS Debugger.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: TS Debugger.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: d:\projects\git\MahApps.Metro\src\MahApps.Metro\MahApps.Metro\obj\Release\NET45\MahApps.Metro.pdb source: TS Debugger.exe
Source: Binary string: CMTrace_amd64.pdb source: TS Debugger.exe
Source: Binary string: D:\projects\git\MahApps.Metro.IconPacks\src\MahApps.Metro.IconPacks\obj\Release_NET45\MahApps.Metro.IconPacks.pdb source: TS Debugger.exe
Source: Binary string: d:\ExprUpdate2\Blend\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\System.Windows.Interactivity.pdb source: TS Debugger.exe
Source: TS Debugger.exeString found in binary or memory: >YouTube, https://www.youtube.com/yt/brand/en-GB/downloads.html equals www.youtube.com (Youtube)
Source: TS Debugger.exeString found in binary or memory: >YouTube, https://www.youtube.com/yt/brand/en-GB/downloads.html+ equals www.youtube.com (Youtube)
Source: TS Debugger.exeString found in binary or memory: http://about.stylesha.re/en/press/presskit/
Source: TS Debugger.exeString found in binary or memory: http://about.stylesha.re/en/press/presskit/2
Source: TS Debugger.exeString found in binary or memory: http://bebo.com/press
Source: TS Debugger.exeString found in binary or memory: http://bebo.com/press3
Source: TS Debugger.exeString found in binary or memory: http://blog.songkick.com/media-assets
Source: TS Debugger.exeString found in binary or memory: http://blog.songkick.com/media-assets-
Source: TS Debugger.exeString found in binary or memory: http://blogs.skype.com/?attachment_id=56273
Source: TS Debugger.exeString found in binary or memory: http://blogs.skype.com/?attachment_id=56273.
Source: TS Debugger.exeString found in binary or memory: http://brand.wire.com
Source: TS Debugger.exeString found in binary or memory: http://brand.wire.com0
Source: TS Debugger.exeString found in binary or memory: http://codepen.io
Source: TS Debugger.exeString found in binary or memory: http://codepen.io9
Source: TS Debugger.exeString found in binary or memory: http://corp.stumbleupon.com/press
Source: TS Debugger.exeString found in binary or memory: http://corporate.viadeo.com/en/media/resources
Source: TS Debugger.exeString found in binary or memory: http://corporate.viadeo.com/en/media/resources-
Source: TS Debugger.exeString found in binary or memory: http://csswizardry.com
Source: TS Debugger.exeString found in binary or memory: http://csswizardry.com;
Source: TS Debugger.exeString found in binary or memory: http://developer.android.com/distribute/tools/promote/brand.html
Source: TS Debugger.exeString found in binary or memory: http://developer.android.com/distribute/tools/promote/brand.html2
Source: TS Debugger.exeString found in binary or memory: http://doc.jsfiddle.net/meta/downloads.html
Source: TS Debugger.exeString found in binary or memory: http://doc.jsfiddle.net/meta/downloads.htmlG
Source: TS Debugger.exeString found in binary or memory: http://expression/system.windows.interactivity.dll0
Source: TS Debugger.exeString found in binary or memory: http://getair.co
Source: TS Debugger.exeString found in binary or memory: http://getair.co5
Source: TS Debugger.exeString found in binary or memory: http://getbootstrap.com/about
Source: TS Debugger.exeString found in binary or memory: http://getbootstrap.com/about.
Source: TS Debugger.exeString found in binary or memory: http://getgrav.org/media
Source: TS Debugger.exeString found in binary or memory: http://getkirby.com/assets/images/logo.svg
Source: TS Debugger.exeString found in binary or memory: http://getkirby.com/assets/images/logo.svg5
Source: TS Debugger.exeString found in binary or memory: http://git-scm.com/downloads/logos
Source: TS Debugger.exeString found in binary or memory: http://git-scm.com/downloads/logos%
Source: TS Debugger.exeString found in binary or memory: http://hatenacorp.jp/press/resource
Source: TS Debugger.exeString found in binary or memory: http://hatenacorp.jp/press/resource#
Source: TS Debugger.exeString found in binary or memory: http://help.deviantart.com/21
Source: TS Debugger.exeString found in binary or memory: http://help.deviantart.com/21;
Source: TS Debugger.exeString found in binary or memory: http://hipchat.com
Source: TS Debugger.exeString found in binary or memory: http://hipchat.com;
Source: TS Debugger.exeString found in binary or memory: http://identitystandards.acm.org/
Source: TS Debugger.exeString found in binary or memory: http://im.qq.com/
Source: TS Debugger.exeString found in binary or memory: http://im.qq.com/2
Source: TS Debugger.exeString found in binary or memory: http://lanyrd.com/help/faq/#branding
Source: TS Debugger.exeString found in binary or memory: http://line.me/en/logo
Source: TS Debugger.exeString found in binary or memory: http://line.me/en/logo)
Source: TS Debugger.exeString found in binary or memory: http://macys.com
Source: TS Debugger.exeString found in binary or memory: http://magento.com
Source: TS Debugger.exeString found in binary or memory: http://magento.com7
Source: TS Debugger.exeString found in binary or memory: http://mailchimp.com/about/brand-assets
Source: TS Debugger.exeString found in binary or memory: http://metro.mahapps.com/winfx/xaml/controls
Source: TS Debugger.exeString found in binary or memory: http://metro.mahapps.com/winfx/xaml/iconpacks
Source: TS Debugger.exeString found in binary or memory: http://metro.mahapps.com/winfx/xaml/shared
Source: TS Debugger.exeString found in binary or memory: http://monogram.me
Source: TS Debugger.exeString found in binary or memory: http://monogram.me1
Source: TS Debugger.exeString found in binary or memory: http://mspartner-public.sharepoint.com/XBOX%20Games/Xbox%20logo
Source: TS Debugger.exeString found in binary or memory: http://mttr.net
Source: TS Debugger.exeString found in binary or memory: http://mttr.net:
Source: powershell.exe, 00000003.00000003.667322853.000001D8D326F000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: TS Debugger.exeString found in binary or memory: http://pingup.com/resources
Source: TS Debugger.exeString found in binary or memory: http://pingup.com/resourcesB
Source: TS Debugger.exeString found in binary or memory: http://press.dailymotion.com/?page_id=346
Source: TS Debugger.exeString found in binary or memory: http://press.dailymotion.com/?page_id=3460
Source: TS Debugger.exeString found in binary or memory: http://sass-lang.com/styleguide/brand
Source: TS Debugger.exe, 00000000.00000002.665677050.0000000004361000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: TS Debugger.exeString found in binary or memory: http://squarespace.com/brand-guidelines
Source: TS Debugger.exeString found in binary or memory: http://squarespace.com/brand-guidelines;
Source: TS Debugger.exeString found in binary or memory: http://stackoverflow.com
Source: TS Debugger.exeString found in binary or memory: http://stackoverflow.com(
Source: TS Debugger.exeString found in binary or memory: http://stackoverflow.com/company/logos
Source: TS Debugger.exeString found in binary or memory: http://stackoverflow.com/company/logos-
Source: TS Debugger.exeString found in binary or memory: http://stackoverflow.com/company/logos.
Source: TS Debugger.exeString found in binary or memory: http://statamic.com/press
Source: TS Debugger.exeString found in binary or memory: http://statamic.com/pressY
Source: TS Debugger.exeString found in binary or memory: http://subversion.apache.org/logo
Source: TS Debugger.exeString found in binary or memory: http://subversion.apache.org/logo7
Source: TS Debugger.exeString found in binary or memory: http://systanddeploy.com
Source: TS Debugger.exeString found in binary or memory: http://uk.playstation.com/media/DPBjbK0o/CECH-4202_4203%20PS3_QSG_GB_Eastern_3_web_vf1.pdf
Source: TS Debugger.exeString found in binary or memory: http://v.ok.ru/logo.html
Source: TS Debugger.exeString found in binary or memory: http://v.ok.ru/logo.htmlF
Source: TS Debugger.exeString found in binary or memory: http://virb.com/about
Source: TS Debugger.exeString found in binary or memory: http://virb.com/aboutL
Source: TS Debugger.exeString found in binary or memory: http://www.buzzfeed.com/press/downloads
Source: TS Debugger.exeString found in binary or memory: http://www.co-operative.coop/corporate/press/logos/
Source: TS Debugger.exeString found in binary or memory: http://www.deezer.com/company/press
Source: TS Debugger.exeString found in binary or memory: http://www.deezer.com/company/pressA
Source: TS Debugger.exeString found in binary or memory: http://www.empire.kred
Source: TS Debugger.exeString found in binary or memory: http://www.empire.kredW
Source: TS Debugger.exeString found in binary or memory: http://www.fitbit.com/uk/home
Source: TS Debugger.exeString found in binary or memory: http://www.fitbit.com/uk/home6
Source: TS Debugger.exeString found in binary or memory: http://www.glassdoor.com/press/images
Source: TS Debugger.exeString found in binary or memory: http://www.glassdoor.com/press/imagesn
Source: TS Debugger.exeString found in binary or memory: http://www.goldenline.pl
Source: TS Debugger.exeString found in binary or memory: http://www.gotinder.com/press
Source: TS Debugger.exeString found in binary or memory: http://www.gotinder.com/press-
Source: TS Debugger.exeString found in binary or memory: http://www.houzz.co.uk/buttonsAndBadges
Source: TS Debugger.exeString found in binary or memory: http://www.houzz.co.uk/buttonsAndBadges(
Source: TS Debugger.exeString found in binary or memory: http://www.hulu.com/press/assets
Source: TS Debugger.exeString found in binary or memory: http://www.hulu.com/press/assets$
Source: TS Debugger.exeString found in binary or memory: http://www.imdb.com/pressroom/brand_guidelines
Source: TS Debugger.exeString found in binary or memory: http://www.imdb.com/pressroom/brand_guidelines/
Source: TS Debugger.exeString found in binary or memory: http://www.kik.com/press
Source: TS Debugger.exeString found in binary or memory: http://www.kik.com/press6
Source: TS Debugger.exeString found in binary or memory: http://www.last.fm/about/resources
Source: TS Debugger.exeString found in binary or memory: http://www.last.fm/about/resources;
Source: TS Debugger.exeString found in binary or memory: http://www.linuxfoundation.org/about/about-linux
Source: TS Debugger.exeString found in binary or memory: http://www.livejournal.com
Source: TS Debugger.exeString found in binary or memory: http://www.livejournal.com-
Source: TS Debugger.exeString found in binary or memory: http://www.makerbot.com/makerbot-press-assets
Source: TS Debugger.exeString found in binary or memory: http://www.nintendo.co.uk/
Source: TS Debugger.exeString found in binary or memory: http://www.nintendo.co.uk/3
Source: TS Debugger.exeString found in binary or memory: http://www.sitepoint.com
Source: TS Debugger.exeString found in binary or memory: http://www.spreaker.com/press
Source: TS Debugger.exeString found in binary or memory: http://www.spreaker.com/press9
Source: TS Debugger.exeString found in binary or memory: http://www.stubhub.com
Source: TS Debugger.exeString found in binary or memory: http://www.stubhub.com3
Source: TS Debugger.exeString found in binary or memory: http://www.systanddeploy.com/
Source: TS Debugger.exeString found in binary or memory: http://www.teslamotors.com/en_GB/about
Source: TS Debugger.exeString found in binary or memory: http://www.tripadvisor.co.uk/PressCenter
Source: TS Debugger.exeString found in binary or memory: http://www.trulia.com
Source: TS Debugger.exeString found in binary or memory: http://www.trulia.com(
Source: TS Debugger.exeString found in binary or memory: http://www.twitch.tv/p/brand-assets
Source: TS Debugger.exeString found in binary or memory: http://www.twoo.com/about/press
Source: TS Debugger.exeString found in binary or memory: http://www.twoo.com/about/press&
Source: TS Debugger.exeString found in binary or memory: http://www.viber.com/en/media-kit
Source: TS Debugger.exeString found in binary or memory: http://www.viber.com/en/media-kit4
Source: TS Debugger.exeString found in binary or memory: http://www.wix.com/about/design-assets
Source: TS Debugger.exeString found in binary or memory: http://www.wix.com/about/design-assets1
Source: TS Debugger.exeString found in binary or memory: http://www.yelp.com/brand
Source: TS Debugger.exeString found in binary or memory: http://www.yelp.com/brandC
Source: TS Debugger.exeString found in binary or memory: http://zillow.mediaroom.com/logos
Source: TS Debugger.exeString found in binary or memory: http://zillow.mediaroom.com/logos#
Source: TS Debugger.exeString found in binary or memory: https://about.500px.com/press
Source: TS Debugger.exeString found in binary or memory: https://about.500px.com/press&
Source: TS Debugger.exeString found in binary or memory: https://about.flipboard.com/brand-guidelines
Source: TS Debugger.exeString found in binary or memory: https://about.flipboard.com/brand-guidelines3
Source: TS Debugger.exeString found in binary or memory: https://about.gitlab.com/press/
Source: TS Debugger.exeString found in binary or memory: https://about.me/assets
Source: TS Debugger.exeString found in binary or memory: https://account.app.net/legal/assets
Source: TS Debugger.exeString found in binary or memory: https://account.app.net/legal/assets$
Source: TS Debugger.exeString found in binary or memory: https://analytics.google.com
Source: TS Debugger.exeString found in binary or memory: https://analytics.google.comC
Source: TS Debugger.exeString found in binary or memory: https://asana.com/styles
Source: TS Debugger.exeString found in binary or memory: https://asana.com/styles(
Source: TS Debugger.exeString found in binary or memory: https://automattic.com/press
Source: TS Debugger.exeString found in binary or memory: https://automattic.com/pressA
Source: TS Debugger.exeString found in binary or memory: https://bandcamp.com/buttons
Source: TS Debugger.exeString found in binary or memory: https://bandcamp.com/buttons8
Source: TS Debugger.exeString found in binary or memory: https://bitbucket.org
Source: TS Debugger.exeString found in binary or memory: https://bitbucket.org$
Source: TS Debugger.exeString found in binary or memory: https://bitcoin.org/en
Source: TS Debugger.exeString found in binary or memory: https://bitcoin.org/en)
Source: TS Debugger.exeString found in binary or memory: https://bitly.com/pages/press
Source: TS Debugger.exeString found in binary or memory: https://bitly.com/pages/press%
Source: TS Debugger.exeString found in binary or memory: https://blog.toggl.com/media-kit/
Source: TS Debugger.exeString found in binary or memory: https://brand.ai/brand-ai/style
Source: TS Debugger.exeString found in binary or memory: https://brand.ai/brand-ai/style%
Source: TS Debugger.exeString found in binary or memory: https://brand.linkedin.com
Source: TS Debugger.exeString found in binary or memory: https://brand.linkedin.comG
Source: TS Debugger.exeString found in binary or memory: https://brand.mastercard.com/brandcenter/mastercard-brand-mark/downloads.html
Source: TS Debugger.exeString found in binary or memory: https://brand.twitter.com
Source: TS Debugger.exeString found in binary or memory: https://buffer.com/press
Source: TS Debugger.exeString found in binary or memory: https://buffer.com/press6
Source: TS Debugger.exeString found in binary or memory: https://business.pinterest.com/en/brand-guidelines
Source: TS Debugger.exeString found in binary or memory: https://cakephp.org/logos
Source: TS Debugger.exeString found in binary or memory: https://circleci.com/press
Source: TS Debugger.exeString found in binary or memory: https://codio.com
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:American_Express_logo.svg
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:American_Express_logo.svgN
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:Bing_logo_(2016).svg
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:Bing_logo_(2016).svg%
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:Feedbin-Icon-share-pinboard.svg
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:JSON_vector_logo.svg
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:Netflix_2014_logo.svg
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:Netflix_2014_logo.svgN
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:Rdio.svg
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:Rdio.svg-
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:Slashdot_wordmark_and_logo.svg
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:Slashdot_wordmark_and_logo.svg%
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:Telegram_alternative_logo.svg
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:Visa_2014_logo_detail.svg
Source: TS Debugger.exeString found in binary or memory: https://commons.wikimedia.org/wiki/File:Windows_10_Logo.svg
Source: TS Debugger.exeString found in binary or memory: https://compropago.com
Source: TS Debugger.exeString found in binary or memory: https://compropago.com$
Source: powershell.exe, 00000003.00000003.667322853.000001D8D326F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000003.667322853.000001D8D326F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000003.667322853.000001D8D326F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
Source: TS Debugger.exeString found in binary or memory: https://developer.garmin.com/resources/brand-guidelines/
Source: TS Debugger.exeString found in binary or memory: https://developer.spotify.com/design
Source: TS Debugger.exeString found in binary or memory: https://developer.yammer.com/docs/branding-guide
Source: TS Debugger.exeString found in binary or memory: https://developer.yammer.com/docs/branding-guide5
Source: TS Debugger.exeString found in binary or memory: https://developers.google.com/
Source: TS Debugger.exeString found in binary or memory: https://developers.google.com/drive/web/branding
Source: TS Debugger.exeString found in binary or memory: https://developers.google.com/drive/web/brandingu
Source: TS Debugger.exeString found in binary or memory: https://discordapp.com/branding
Source: TS Debugger.exeString found in binary or memory: https://discordapp.com/brandingZ
Source: TS Debugger.exeString found in binary or memory: https://disqus.com/brand
Source: TS Debugger.exeString found in binary or memory: https://disqus.com/brand#
Source: TS Debugger.exeString found in binary or memory: https://docs.joomla.org/Joomla:Brand_Identity_Elements
Source: TS Debugger.exeString found in binary or memory: https://docs.joomla.org/Joomla:Brand_Identity_Elements:
Source: TS Debugger.exeString found in binary or memory: https://dribbble.com/branding
Source: TS Debugger.exeString found in binary or memory: https://dribbble.com/branding.
Source: TS Debugger.exeString found in binary or memory: https://drive.google.com/file/d/0B3aqzR8LzoqdT1p4ZUlWVnJ1elk/view?usp=sharing
Source: TS Debugger.exeString found in binary or memory: https://drive.google.com/file/d/0B3aqzR8LzoqdT1p4ZUlWVnJ1elk/view?usp=sharing9
Source: TS Debugger.exeString found in binary or memory: https://ello.co
Source: TS Debugger.exeString found in binary or memory: https://ello.co(
Source: TS Debugger.exeString found in binary or memory: https://evernote.com/brand/color-palette/
Source: TS Debugger.exeString found in binary or memory: https://everplaces.com
Source: TS Debugger.exeString found in binary or memory: https://facebook.github.io/react/
Source: TS Debugger.exeString found in binary or memory: https://facebook.github.io/react//
Source: TS Debugger.exeString found in binary or memory: https://foursquare.com/about/logos
Source: TS Debugger.exeString found in binary or memory: https://freecodecamp.com
Source: TS Debugger.exeString found in binary or memory: https://freecodecamp.comE
Source: TS Debugger.exeString found in binary or memory: https://geekli.st/press
Source: TS Debugger.exeString found in binary or memory: https://getmonero.org
Source: TS Debugger.exeString found in binary or memory: https://getmonero.org2
Source: TS Debugger.exeString found in binary or memory: https://getpocket.com/blog/press/
Source: TS Debugger.exeString found in binary or memory: https://getsello.com
Source: TS Debugger.exeString found in binary or memory: https://getsello.comA
Source: TS Debugger.exeString found in binary or memory: https://getuikit.com
Source: TS Debugger.exeString found in binary or memory: https://ghost.org/about/logos
Source: TS Debugger.exeString found in binary or memory: https://github.com/alphagov/design-assets/tree/master/Icons
Source: TS Debugger.exeString found in binary or memory: https://github.com/alphagov/design-assets/tree/master/Icons#
Source: TS Debugger.exeString found in binary or memory: https://github.com/eventstore/brand
Source: TS Debugger.exeString found in binary or memory: https://github.com/eventstore/brand8
Source: TS Debugger.exeString found in binary or memory: https://github.com/gulpjs/artwork/blob/master/gulp.svg
Source: TS Debugger.exeString found in binary or memory: https://github.com/gulpjs/artwork/blob/master/gulp.svg%
Source: TS Debugger.exeString found in binary or memory: https://github.com/jekyll/brand
Source: TS Debugger.exeString found in binary or memory: https://github.com/laravel/art
Source: TS Debugger.exeString found in binary or memory: https://github.com/laravel/art0
Source: TS Debugger.exeString found in binary or memory: https://github.com/logos
Source: TS Debugger.exeString found in binary or memory: https://github.com/operasoftware/logo
Source: TS Debugger.exeString found in binary or memory: https://github.com/operasoftware/logo3
Source: TS Debugger.exeString found in binary or memory: https://github.com/processwire
Source: TS Debugger.exeString found in binary or memory: https://github.com/processwire7
Source: TS Debugger.exeString found in binary or memory: https://github.com/rtfd/readthedocs.org/blob/master/media/readthedocsbranding.ai
Source: TS Debugger.exeString found in binary or memory: https://github.com/rtfd/readthedocs.org/blob/master/media/readthedocsbranding.ai6
Source: TS Debugger.exeString found in binary or memory: https://github.com/twolfson/coderwall-svg
Source: TS Debugger.exeString found in binary or memory: https://github.com/twolfson/coderwall-svg9
Source: TS Debugger.exeString found in binary or memory: https://github.com/voodootikigod/logo.js
Source: TS Debugger.exeString found in binary or memory: https://github.com/vuejs/art
Source: TS Debugger.exeString found in binary or memory: https://github.com/vuejs/art6
Source: TS Debugger.exeString found in binary or memory: https://go.developer.ebay.com/logos
Source: TS Debugger.exeString found in binary or memory: https://gratipay.com
Source: TS Debugger.exeString found in binary or memory: https://gratipay.com#
Source: TS Debugger.exeString found in binary or memory: https://help.launchpad.net/logo/submissions
Source: TS Debugger.exeString found in binary or memory: https://hootsuite.com/en-gb/about/media-kit
Source: TS Debugger.exeString found in binary or memory: https://hootsuite.com/en-gb/about/media-kit3
Source: TS Debugger.exeString found in binary or memory: https://insights.ubuntu.com/press-centre
Source: TS Debugger.exeString found in binary or memory: https://insights.ubuntu.com/press-centre%
Source: TS Debugger.exeString found in binary or memory: https://justgiving.com
Source: TS Debugger.exeString found in binary or memory: https://khanacademy.zendesk.com/hc/en-us/articles/202483630-Press-room
Source: TS Debugger.exeString found in binary or memory: https://khanacademy.zendesk.com/hc/en-us/articles/202483630-Press-room?
Source: TS Debugger.exeString found in binary or memory: https://klout.com/s/developers/styleguide
Source: TS Debugger.exeString found in binary or memory: https://klout.com/s/developers/styleguide%
Source: TS Debugger.exeString found in binary or memory: https://koding.com/About
Source: TS Debugger.exeString found in binary or memory: https://koding.com/About1
Source: TS Debugger.exeString found in binary or memory: https://livestream.com/press
Source: TS Debugger.exeString found in binary or memory: https://material.google.com/resources/sticker-sheets-icons.html#sticker-sheets-icons-components
Source: TS Debugger.exeString found in binary or memory: https://material.google.com/resources/sticker-sheets-icons.html#sticker-sheets-icons-components&
Source: TS Debugger.exeString found in binary or memory: https://material.io/guidelines/resources/sticker-sheets-icons.html#sticker-sheets-icons-components
Source: TS Debugger.exeString found in binary or memory: https://material.io/guidelines/resources/sticker-sheets-icons.html#sticker-sheets-icons-components)
Source: TS Debugger.exeString found in binary or memory: https://mediatemple.net/company/about-us
Source: TS Debugger.exeString found in binary or memory: https://medium.com
Source: TS Debugger.exeString found in binary or memory: https://medium.comC
Source: TS Debugger.exeString found in binary or memory: https://minutemailer.com/press
Source: TS Debugger.exeString found in binary or memory: https://minutemailer.com/press0
Source: TS Debugger.exeString found in binary or memory: https://myspace.com/pressroom/assetslogos
Source: TS Debugger.exeString found in binary or memory: https://myspace.com/pressroom/assetslogosK
Source: TS Debugger.exeString found in binary or memory: https://overcast.fm
Source: TS Debugger.exeString found in binary or memory: https://overcast.fm2
Source: TS Debugger.exeString found in binary or memory: https://pagekit.com/logo-guide
Source: TS Debugger.exeString found in binary or memory: https://pagekit.com/logo-guide6
Source: TS Debugger.exeString found in binary or memory: https://partner.steamgames.com/public/marketing/Steam_Guidelines_02102016.pdf
Source: TS Debugger.exeString found in binary or memory: https://plangrid.com/en/
Source: TS Debugger.exeString found in binary or memory: https://player.me/p/about-us
Source: TS Debugger.exeString found in binary or memory: https://player.me/p/about-usl
Source: TS Debugger.exeString found in binary or memory: https://press.shopify.com/brand
Source: TS Debugger.exeString found in binary or memory: https://projects.invisionapp.com/boards/BX4P1DY5H46R
Source: TS Debugger.exeString found in binary or memory: https://projects.invisionapp.com/boards/BX4P1DY5H46R9
Source: TS Debugger.exeString found in binary or memory: https://proto.io/en/presskit
Source: TS Debugger.exeString found in binary or memory: https://proto.io/en/presskit1
Source: TS Debugger.exeString found in binary or memory: https://protonmail.com/media-kit
Source: TS Debugger.exeString found in binary or memory: https://ratnacahayarina.files.wordpress.com/2014/03/microsoft.pdf
Source: TS Debugger.exeString found in binary or memory: https://ratnacahayarina.files.wordpress.com/2014/03/microsoft.pdf-
Source: TS Debugger.exeString found in binary or memory: https://readability.com/about
Source: TS Debugger.exeString found in binary or memory: https://readability.com/aboutd
Source: TS Debugger.exeString found in binary or memory: https://runkeeper.com/partnerships
Source: TS Debugger.exeString found in binary or memory: https://runkeeper.com/partnerships0
Source: TS Debugger.exeString found in binary or memory: https://saucelabs.com/press-room/press-coverage
Source: TS Debugger.exeString found in binary or memory: https://saucelabs.com/press-room/press-coverage#
Source: TS Debugger.exeString found in binary or memory: https://sellfy.com/about/
Source: TS Debugger.exeString found in binary or memory: https://sentry.io/branding/
Source: TS Debugger.exeString found in binary or memory: https://sentry.io/branding/9
Source: TS Debugger.exeString found in binary or memory: https://slack.com/brand-guidelines
Source: TS Debugger.exeString found in binary or memory: https://slack.com/brand-guidelinesU
Source: TS Debugger.exeString found in binary or memory: https://slides.com/about
Source: TS Debugger.exeString found in binary or memory: https://soundcloud.com/press
Source: TS Debugger.exeString found in binary or memory: https://steem.io/
Source: TS Debugger.exeString found in binary or memory: https://storify.com
Source: TS Debugger.exeString found in binary or memory: https://storify.com/
Source: TS Debugger.exeString found in binary or memory: https://stripe.com/about/resources
Source: TS Debugger.exeString found in binary or memory: https://stripe.com/about/resources$
Source: TS Debugger.exeString found in binary or memory: https://styleguide.auth0.com
Source: TS Debugger.exeString found in binary or memory: https://styleguide.auth0.com/
Source: TS Debugger.exeString found in binary or memory: https://teamtreehouse.com/about
Source: TS Debugger.exeString found in binary or memory: https://teamtreehouse.com/about.
Source: TS Debugger.exeString found in binary or memory: https://teespring.com
Source: TS Debugger.exeString found in binary or memory: https://teespring.comT
Source: TS Debugger.exeString found in binary or memory: https://tools.pingdom.com
Source: TS Debugger.exeString found in binary or memory: https://tools.pingdom.com(
Source: TS Debugger.exeString found in binary or memory: https://trakt.tv
Source: TS Debugger.exeString found in binary or memory: https://trakt.tv%
Source: TS Debugger.exeString found in binary or memory: https://travis-ci.org
Source: TS Debugger.exeString found in binary or memory: https://travis-ci.org/
Source: TS Debugger.exeString found in binary or memory: https://trello.com/about/branding
Source: TS Debugger.exeString found in binary or memory: https://trello.com/about/branding:
Source: TS Debugger.exeString found in binary or memory: https://vimeo.com/about/brand_guidelines
Source: TS Debugger.exeString found in binary or memory: https://vine.co/logo
Source: TS Debugger.exeString found in binary or memory: https://vk.com/about
Source: TS Debugger.exeString found in binary or memory: https://vk.com/about)
Source: TS Debugger.exeString found in binary or memory: https://wiki.diasporafoundation.org/Branding
Source: TS Debugger.exeString found in binary or memory: https://wiki.diasporafoundation.org/Branding-
Source: TS Debugger.exeString found in binary or memory: https://wiki.jenkins-ci.org/display/JENKINS/Logo
Source: TS Debugger.exeString found in binary or memory: https://wiki.jenkins-ci.org/display/JENKINS/Logo;
Source: TS Debugger.exeString found in binary or memory: https://wordpress.org/about/logos
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/amazon-icon
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/amazon-iconX
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/apple
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/apple2
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/basecamp
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/facebook-messenger
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/feedly
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/flickr-1
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/patreon
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/patreono
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/reddit-2
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/reddit-2/
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/wechat-3
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/xing-icon
Source: TS Debugger.exeString found in binary or memory: https://worldvectorlogo.com/logo/xing-icon1
Source: TS Debugger.exeString found in binary or memory: https://www.airbnb.co.uk/press/resources
Source: TS Debugger.exeString found in binary or memory: https://www.airbnb.co.uk/press/resources9
Source: TS Debugger.exeString found in binary or memory: https://www.atlassian.com/company/news/press-kit
Source: TS Debugger.exeString found in binary or memory: https://www.atlassian.com/company/news/press-kitC
Source: TS Debugger.exeString found in binary or memory: https://www.automatic.com/press
Source: TS Debugger.exeString found in binary or memory: https://www.automatic.com/press8
Source: TS Debugger.exeString found in binary or memory: https://www.behance.net/dev/api/brand
Source: TS Debugger.exeString found in binary or memory: https://www.bigcartel.com
Source: TS Debugger.exeString found in binary or memory: https://www.bigcartel.comG
Source: TS Debugger.exeString found in binary or memory: https://www.blogger.com
Source: TS Debugger.exeString found in binary or memory: https://www.blogger.com-
Source: TS Debugger.exeString found in binary or memory: https://www.campaignmonitor.com/brand
Source: TS Debugger.exeString found in binary or memory: https://www.campaignmonitor.com/brand)
Source: TS Debugger.exeString found in binary or memory: https://www.codeigniter.com/help/legal
Source: TS Debugger.exeString found in binary or memory: https://www.codeschool.com/brand-assets
Source: TS Debugger.exeString found in binary or memory: https://www.conekta.io
Source: TS Debugger.exeString found in binary or memory: https://www.conekta.io?
Source: TS Debugger.exeString found in binary or memory: https://www.coursera.org
Source: TS Debugger.exeString found in binary or memory: https://www.designernews.co
Source: TS Debugger.exeString found in binary or memory: https://www.designernews.co.
Source: TS Debugger.exeString found in binary or memory: https://www.digitalocean.com/company/logos-and-badges/
Source: TS Debugger.exeString found in binary or memory: https://www.digitalocean.com/company/logos-and-badges/-
Source: TS Debugger.exeString found in binary or memory: https://www.discovernetwork.com/en-us/business-resources/free-signage-logos
Source: TS Debugger.exeString found in binary or memory: https://www.discovernetwork.com/en-us/business-resources/free-signage-logos%
Source: TS Debugger.exeString found in binary or memory: https://www.docker.com
Source: TS Debugger.exeString found in binary or memory: https://www.docker.comD
Source: TS Debugger.exeString found in binary or memory: https://www.dropbox.com/branding
Source: TS Debugger.exeString found in binary or memory: https://www.drupal.org/drupalorg/style-guide/colors
Source: TS Debugger.exeString found in binary or memory: https://www.drupal.org/drupalorg/style-guide/colors.
Source: TS Debugger.exeString found in binary or memory: https://www.ethereum.org/images/logos/Ethereum_Visual_Identity_1.0.0.pdf
Source: TS Debugger.exeString found in binary or memory: https://www.ethereum.org/images/logos/Ethereum_Visual_Identity_1.0.0.pdf(
Source: TS Debugger.exeString found in binary or memory: https://www.etsy.com/uk/press
Source: TS Debugger.exeString found in binary or memory: https://www.eventbrite.com
Source: TS Debugger.exeString found in binary or memory: https://www.eventbrite.com5
Source: TS Debugger.exeString found in binary or memory: https://www.facebookbrand.com
Source: TS Debugger.exeString found in binary or memory: https://www.facebookbrand.com4
Source: TS Debugger.exeString found in binary or memory: https://www.frype.com/applications/dev/docs/logos/
Source: TS Debugger.exeString found in binary or memory: https://www.geocaching.com/about/logousage.aspx
Source: TS Debugger.exeString found in binary or memory: https://www.geocaching.com/about/logousage.aspx)
Source: TS Debugger.exeString found in binary or memory: https://www.gumtree.com
Source: TS Debugger.exeString found in binary or memory: https://www.hackerrank.com/
Source: TS Debugger.exeString found in binary or memory: https://www.heroku.com
Source: TS Debugger.exeString found in binary or memory: https://www.ifixit.com/
Source: TS Debugger.exeString found in binary or memory: https://www.ifixit.com/9
Source: TS Debugger.exeString found in binary or memory: https://www.instacart.com/press
Source: TS Debugger.exeString found in binary or memory: https://www.instacart.com/press/
Source: TS Debugger.exeString found in binary or memory: https://www.instagram-brand.com
Source: TS Debugger.exeString found in binary or memory: https://www.intercom.io
Source: TS Debugger.exeString found in binary or memory: https://www.intercom.ioC
Source: TS Debugger.exeString found in binary or memory: https://www.kaggle.com/contact
Source: TS Debugger.exeString found in binary or memory: https://www.kaggle.com/contactY
Source: TS Debugger.exeString found in binary or memory: https://www.kickstarter.com/help/brand_assets
Source: TS Debugger.exeString found in binary or memory: https://www.mixcloud.com/branding
Source: TS Debugger.exeString found in binary or memory: https://www.monkey-tie.com/presse
Source: TS Debugger.exeString found in binary or memory: https://www.moo.com/uk/about/press.html
Source: TS Debugger.exeString found in binary or memory: https://www.moo.com/uk/about/press.html7
Source: TS Debugger.exeString found in binary or memory: https://www.oculus.com/en-us/press-kit
Source: TS Debugger.exeString found in binary or memory: https://www.office.com
Source: TS Debugger.exeString found in binary or memory: https://www.office.com.
Source: TS Debugger.exeString found in binary or memory: https://www.office.com1
Source: TS Debugger.exeString found in binary or memory: https://www.origin.com/gbr/en-us/store
Source: TS Debugger.exeString found in binary or memory: https://www.ovh.com/fr/news/logo-ovh.xml
Source: TS Debugger.exeString found in binary or memory: https://www.paypal-marketing.com/html/partner/na/portal-v2/pdf/PP_Masterbrandguidelines_v21_mm.pdf
Source: TS Debugger.exeString found in binary or memory: https://www.paypal-marketing.com/html/partner/na/portal-v2/pdf/PP_Masterbrandguidelines_v21_mm.pdf.
Source: TS Debugger.exeString found in binary or memory: https://www.periscope.tv/press
Source: TS Debugger.exeString found in binary or memory: https://www.periscope.tv/pressV
Source: TS Debugger.exeString found in binary or memory: https://www.plurk.com/brandInfo
Source: TS Debugger.exeString found in binary or memory: https://www.plurk.com/brandInfo.
Source: TS Debugger.exeString found in binary or memory: https://www.producthunt.com/branding
Source: TS Debugger.exeString found in binary or memory: https://www.quantopian.com
Source: TS Debugger.exeString found in binary or memory: https://www.quora.com
Source: TS Debugger.exeString found in binary or memory: https://www.raspberrypi.org/trademark-rules
Source: TS Debugger.exeString found in binary or memory: https://www.raspberrypi.org/trademark-rules;
Source: TS Debugger.exeString found in binary or memory: https://www.reverbnation.com
Source: TS Debugger.exeString found in binary or memory: https://www.reverbnation.com1
Source: TS Debugger.exeString found in binary or memory: https://www.scribd.com
Source: TS Debugger.exeString found in binary or memory: https://www.scribd.comG
Source: TS Debugger.exeString found in binary or memory: https://www.skyliner.io/help
Source: TS Debugger.exeString found in binary or memory: https://www.skyliner.io/help7
Source: TS Debugger.exeString found in binary or memory: https://www.snapchat.com/brand-guidelines
Source: TS Debugger.exeString found in binary or memory: https://www.snapchat.com/brand-guidelines4
Source: TS Debugger.exeString found in binary or memory: https://www.spotlight.com/
Source: TS Debugger.exeString found in binary or memory: https://www.ted.com/participate/organize-a-local-tedx-event/tedx-organizer-guide/branding-promotions
Source: TS Debugger.exeString found in binary or memory: https://www.toptal.com/branding
Source: TS Debugger.exeString found in binary or memory: https://www.tumblr.com/logo
Source: TS Debugger.exeString found in binary or memory: https://www.tumblr.com/logo1
Source: TS Debugger.exeString found in binary or memory: https://www.twilio.com/company/brand
Source: TS Debugger.exeString found in binary or memory: https://www.twilio.com/company/brand0
Source: TS Debugger.exeString found in binary or memory: https://www.uber.com/media/
Source: TS Debugger.exeString found in binary or memory: https://www.uber.com/media/5
Source: TS Debugger.exeString found in binary or memory: https://www.udacity.com
Source: TS Debugger.exeString found in binary or memory: https://www.upwork.com/press/
Source: TS Debugger.exeString found in binary or memory: https://www.upwork.com/press/;
Source: TS Debugger.exeString found in binary or memory: https://www.whatsappbrand.com
Source: TS Debugger.exeString found in binary or memory: https://www.whatsappbrand.com?
Source: TS Debugger.exeString found in binary or memory: https://www.xero.com/uk/about/media/downloads
Source: TS Debugger.exeString found in binary or memory: https://www.xero.com/uk/about/media/downloads5
Source: TS Debugger.exeString found in binary or memory: https://www.ycombinator.com/press/
Source: TS Debugger.exeString found in binary or memory: https://www.ycombinator.com/press/$
Source: TS Debugger.exeString found in binary or memory: https://www.youtube.com/yt/brand/en-GB/downloads.html
Source: TS Debugger.exeString found in binary or memory: https://www.zendesk.com
Source: TS Debugger.exeString found in binary or memory: https://www.zendesk.com/
Source: TS Debugger.exeString found in binary or memory: https://zapier.com/about/brand
Source: TS Debugger.exeString found in binary or memory: https://zapier.com/about/brand%
Source: TS Debugger.exeString found in binary or memory: https://zerply.com/about/resources
Source: TS Debugger.exeString found in binary or memory: https://zerply.com/about/resources.
Source: CMTrace.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: CMTrace.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CMTrace.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CMTrace.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TS Debugger.exe, 00000000.00000002.665703448.00000000043A6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMTrace_amd64.exer) vs TS Debugger.exe
Source: TS Debugger.exe, 00000000.00000002.659931423.0000000000BE8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMahApps.Metro.dllH vs TS Debugger.exe
Source: TS Debugger.exe, 00000000.00000002.659931423.0000000000BE8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMahApps.Metro.IconPacks.dll` vs TS Debugger.exe
Source: TS Debugger.exe, 00000000.00000002.659931423.0000000000BE8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Interactivity.dll\ vs TS Debugger.exe
Source: TS Debugger.exe, 00000000.00000002.665265855.0000000001FEB000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTS_Debugger.exe4 vs TS Debugger.exe
Source: TS Debugger.exe, 00000000.00000002.665553440.0000000002529000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TS Debugger.exe
Source: TS Debugger.exeBinary or memory string: OriginalFilenameCMTrace_amd64.exer) vs TS Debugger.exe
Source: TS Debugger.exeBinary or memory string: OriginalFilenameMahApps.Metro.dllH vs TS Debugger.exe
Source: TS Debugger.exeBinary or memory string: OriginalFilenameMahApps.Metro.IconPacks.dll` vs TS Debugger.exe
Source: TS Debugger.exeBinary or memory string: OriginalFilenameSystem.Windows.Interactivity.dll\ vs TS Debugger.exe
Source: TS Debugger.exeBinary or memory string: OriginalFilenameTS_Debugger.exe4 vs TS Debugger.exe
Source: TS Debugger.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engineClassification label: mal72.evad.winEXE@4/34@0/0
Source: C:\Users\user\Desktop\TS Debugger.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TS Debugger.exe.logJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5764:120:WilError_01
Source: C:\Users\user\Desktop\TS Debugger.exeFile created: C:\Users\user\AppData\Local\Temp\Make-EXE0Jump to behavior
Source: TS Debugger.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\TS Debugger.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: TS Debugger.exeVirustotal: Detection: 11%
Source: TS Debugger.exeString found in binary or memory: controller-jump-to-start
Source: TS Debugger.exeString found in binary or memory: controller-stop
Source: TS Debugger.exeString found in binary or memory: block-helper
Source: TS Debugger.exeString found in binary or memory: clock-start
Source: TS Debugger.exeString found in binary or memory: color-helper
Source: TS Debugger.exeString found in binary or memory: ray-start
Source: TS Debugger.exeString found in binary or memory: ray-start-arrow
Source: TS Debugger.exeString found in binary or memory: ray-start-end
Source: TS Debugger.exeString found in binary or memory: source-commit-start
Source: TS Debugger.exeString found in binary or memory: source-commit-start#
Source: TS Debugger.exeString found in binary or memory: source-commit-start-next-local
Source: TS Debugger.exeString found in binary or memory: book-perspective-help
Source: TS Debugger.exeString found in binary or memory: cloud-add
Source: TS Debugger.exeString found in binary or memory: draw-pen-add
Source: TS Debugger.exeString found in binary or memory: edit-add
Source: TS Debugger.exeString found in binary or memory: group-add
Source: TS Debugger.exeString found in binary or memory: layer-add
Source: TS Debugger.exeString found in binary or memory: list-add
Source: TS Debugger.exeString found in binary or memory: list-add-above
Source: TS Debugger.exeString found in binary or memory: list-add-below
Source: TS Debugger.exeString found in binary or memory: location-add
Source: TS Debugger.exeString found in binary or memory: logic-and-add
Source: TS Debugger.exeString found in binary or memory: logic-or-add
Source: TS Debugger.exeString found in binary or memory: magnify-add
Source: TS Debugger.exeString found in binary or memory: map-location-add
Source: TS Debugger.exeString found in binary or memory: monitor-add
Source: TS Debugger.exeString found in binary or memory: page-add
Source: TS Debugger.exeString found in binary or memory: page-location-add
Source: TS Debugger.exeString found in binary or memory: page-solid-add
Source: TS Debugger.exeString found in binary or memory: sign-stop
Source: TS Debugger.exeString found in binary or memory: star-add
Source: TS Debugger.exeString found in binary or memory: table-add
Source: TS Debugger.exeString found in binary or memory: thumb-up-add
Source: TS Debugger.exeString found in binary or memory: timer-stop
Source: TS Debugger.exeString found in binary or memory: user-add
Source: TS Debugger.exeString found in binary or memory: vector-pen-add
Source: unknownProcess created: C:\Users\user\Desktop\TS Debugger.exe 'C:\Users\user\Desktop\TS Debugger.exe'
Source: C:\Users\user\Desktop\TS Debugger.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TS Debugger.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell.exe' -executionpolicy bypass -WindowStyle hidden -file 'TS_Debugger.ps1'
Source: C:\Users\user\Desktop\TS Debugger.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell.exe' -executionpolicy bypass -WindowStyle hidden -file 'TS_Debugger.ps1'Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: TS Debugger.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: TS Debugger.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: TS Debugger.exeStatic file information: File size 22380544 > 1048576
Source: TS Debugger.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1515600
Source: TS Debugger.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: d:\projects\git\MahApps.Metro\src\MahApps.Metro\MahApps.Metro\obj\Release\NET45\MahApps.Metro.pdb source: TS Debugger.exe
Source: Binary string: CMTrace_amd64.pdb source: TS Debugger.exe
Source: Binary string: D:\projects\git\MahApps.Metro.IconPacks\src\MahApps.Metro.IconPacks\obj\Release_NET45\MahApps.Metro.IconPacks.pdb source: TS Debugger.exe
Source: Binary string: d:\ExprUpdate2\Blend\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\System.Windows.Interactivity.pdb source: TS Debugger.exe

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Users\user\Desktop\TS Debugger.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell.exe' -executionpolicy bypass -WindowStyle hidden -file 'TS_Debugger.ps1'
Source: C:\Users\user\Desktop\TS Debugger.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell.exe' -executionpolicy bypass -WindowStyle hidden -file 'TS_Debugger.ps1'Jump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeFile created: C:\Users\user\AppData\Local\Temp\Make-EXE0\System.Windows.Interactivity.dllJump to dropped file
Source: C:\Users\user\Desktop\TS Debugger.exeFile created: C:\Users\user\AppData\Local\Temp\Make-EXE0\CMTrace.exeJump to dropped file
Source: C:\Users\user\Desktop\TS Debugger.exeFile created: C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.dllJump to dropped file
Source: C:\Users\user\Desktop\TS Debugger.exeFile created: C:\Users\user\AppData\Local\Temp\Make-EXE0\TS_Debugger.exeJump to dropped file
Source: C:\Users\user\Desktop\TS Debugger.exeFile created: C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.IconPacks.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3497Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3722Jump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Make-EXE0\System.Windows.Interactivity.dllJump to dropped file
Source: C:\Users\user\Desktop\TS Debugger.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Make-EXE0\CMTrace.exeJump to dropped file
Source: C:\Users\user\Desktop\TS Debugger.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.dllJump to dropped file
Source: C:\Users\user\Desktop\TS Debugger.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Make-EXE0\TS_Debugger.exeJump to dropped file
Source: C:\Users\user\Desktop\TS Debugger.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.IconPacks.dllJump to dropped file
Source: C:\Users\user\Desktop\TS Debugger.exe TID: 6724Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6280Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6280Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\TS Debugger.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\TS Debugger.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\TS Debugger.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell.exe' -executionpolicy bypass -WindowStyle hidden -file 'TS_Debugger.ps1'
Source: C:\Users\user\Desktop\TS Debugger.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'powershell.exe' -executionpolicy bypass -WindowStyle hidden -file 'TS_Debugger.ps1'Jump to behavior
Source: TS Debugger.exeBinary or memory string: Shell_TrayWnd9Unable to combine two HRGNs.%WindowChromeWorker'HRESULT_FROM_WIN32(
Source: C:\Users\user\Desktop\TS Debugger.exeQueries volume information: C:\Users\user\Desktop\TS Debugger.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\System.Windows.Interactivity.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.IconPacks.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\round_french.png VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\round_us.png VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\round_german.png VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\round_pt.png VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\round_spain.png VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\regedit.png VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\taskmanager.png VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\powershell.png VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\cmd.png VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\explorer.png VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\mstsc.png VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\devicemgmt.png VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Make-EXE0\logo.png VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsPowerShell2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440454 Sample: TS Debugger.exe Startdate: 25/06/2021 Architecture: WINDOWS Score: 72 22 Multi AV Scanner detection for dropped file 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Suspicious powershell command line found 2->26 28 3 other signatures 2->28 6 TS Debugger.exe 32 2->6         started        process3 file4 14 C:\Users\user\AppData\...\TS_Debugger.exe, PE32 6->14 dropped 16 C:\Users\user\AppData\...\TS Debugger.exe.log, ASCII 6->16 dropped 18 C:\Users\...\System.Windows.Interactivity.dll, PE32 6->18 dropped 20 3 other files (none is malicious) 6->20 dropped 30 Suspicious powershell command line found 6->30 10 powershell.exe 17 6->10         started        12 conhost.exe 6->12         started        signatures5 process6

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
TS Debugger.exe12%VirustotalBrowse
TS Debugger.exe3%ReversingLabs
TS Debugger.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\Make-EXE0\TS_Debugger.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Make-EXE0\CMTrace.exe0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\Make-EXE0\CMTrace.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.IconPacks.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.IconPacks.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Make-EXE0\System.Windows.Interactivity.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\Make-EXE0\System.Windows.Interactivity.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Make-EXE0\TS_Debugger.exe10%ReversingLabsWin32.Dropper.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://minutemailer.com/press0%VirustotalBrowse
https://minutemailer.com/press0%Avira URL Cloudsafe
https://brand.ai/brand-ai/style%0%Avira URL Cloudsafe
https://www.docker.comD0%Avira URL Cloudsafe
http://www.livejournal.com-0%Avira URL Cloudsafe
http://www.stubhub.com30%Avira URL Cloudsafe
http://www.nintendo.co.uk/30%Avira URL Cloudsafe
https://www.whatsappbrand.com?0%Avira URL Cloudsafe
https://overcast.fm20%Avira URL Cloudsafe
https://medium.comC0%Avira URL Cloudsafe
https://account.app.net/legal/assets0%Avira URL Cloudsafe
http://www.tripadvisor.co.uk/PressCenter0%Avira URL Cloudsafe
http://www.nintendo.co.uk/0%Avira URL Cloudsafe
https://www.conekta.io?0%Avira URL Cloudsafe
https://brand.linkedin.comG0%Avira URL Cloudsafe
http://metro.mahapps.com/winfx/xaml/iconpacks0%Avira URL Cloudsafe
https://www.reverbnation.com10%Avira URL Cloudsafe
http://mspartner-public.sharepoint.com/XBOX%20Games/Xbox%20logo0%Avira URL Cloudsafe
https://www.skyliner.io/help70%Avira URL Cloudsafe
http://mttr.net:0%Avira URL Cloudsafe
https://www.intercom.ioC0%Avira URL Cloudsafe
http://lanyrd.com/help/faq/#branding0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://github.com/voodootikigod/logo.jsTS Debugger.exefalse
    		high
    https://www.blogger.comTS Debugger.exefalse
      		high
      https://klout.com/s/developers/styleguide%TS Debugger.exefalse
        		high
        https://developer.yammer.com/docs/branding-guide5TS Debugger.exefalse
          		high
          https://github.com/operasoftware/logo3TS Debugger.exefalse
            		high
            http://www.goldenline.plTS Debugger.exefalse
              		high
              https://commons.wikimedia.org/wiki/File:Slashdot_wordmark_and_logo.svgTS Debugger.exefalse
                		high
                https://minutemailer.com/pressTS Debugger.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/rtfd/readthedocs.org/blob/master/media/readthedocsbranding.ai6TS Debugger.exefalse
                  		high
                  http://www.fitbit.com/uk/homeTS Debugger.exefalse
                    		high
                    https://www.mixcloud.com/brandingTS Debugger.exefalse
                      		high
                      https://brand.ai/brand-ai/style%TS Debugger.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.wix.com/about/design-assets1TS Debugger.exefalse
                        		high
                        https://storify.comTS Debugger.exefalse
                          		high
                          https://wiki.jenkins-ci.org/display/JENKINS/Logo;TS Debugger.exefalse
                            		high
                            https://www.upwork.com/press/TS Debugger.exefalse
                              		high
                              https://plangrid.com/en/TS Debugger.exefalse
                                		high
                                http://systanddeploy.comTS Debugger.exefalse
                                  		high
                                  https://brand.linkedin.comTS Debugger.exefalse
                                    		high
                                    https://developer.yammer.com/docs/branding-guideTS Debugger.exefalse
                                      		high
                                      http://git-scm.com/downloads/logosTS Debugger.exefalse
                                        		high
                                        http://about.stylesha.re/en/press/presskit/2TS Debugger.exefalse
                                          		high
                                          https://teamtreehouse.com/about.TS Debugger.exefalse
                                            		high
                                            https://blog.toggl.com/media-kit/TS Debugger.exefalse
                                              		high
                                              http://v.ok.ru/logo.htmlFTS Debugger.exefalse
                                                		high
                                                http://www.glassdoor.com/press/imagesnTS Debugger.exefalse
                                                  		high
                                                  https://bitbucket.orgTS Debugger.exefalse
                                                    		high
                                                    https://github.com/vuejs/art6TS Debugger.exefalse
                                                      		high
                                                      https://www.docker.comDTS Debugger.exefalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.intercom.ioTS Debugger.exefalse
                                                        		high
                                                        https://github.com/twolfson/coderwall-svgTS Debugger.exefalse
                                                          		high
                                                          http://www.livejournal.com-TS Debugger.exefalse
                                                          • Avira URL Cloud: safe
                                                          		low
                                                          https://bandcamp.com/buttonsTS Debugger.exefalse
                                                            		high
                                                            https://bitly.com/pages/press%TS Debugger.exefalse
                                                              		high
                                                              http://squarespace.com/brand-guidelinesTS Debugger.exefalse
                                                                		high
                                                                http://line.me/en/logo)TS Debugger.exefalse
                                                                  		high
                                                                  https://www.instagram-brand.comTS Debugger.exefalse
                                                                    		high
                                                                    http://www.yelp.com/brandCTS Debugger.exefalse
                                                                      		high
                                                                      http://www.stubhub.com3TS Debugger.exefalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://circleci.com/pressTS Debugger.exefalse
                                                                        		high
                                                                        http://www.last.fm/about/resources;TS Debugger.exefalse
                                                                          		high
                                                                          http://statamic.com/pressTS Debugger.exefalse
                                                                            		high
                                                                            http://www.nintendo.co.uk/3TS Debugger.exefalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://teespring.comTS Debugger.exefalse
                                                                              		high
                                                                              https://www.whatsappbrand.com?TS Debugger.exefalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://stripe.com/about/resources$TS Debugger.exefalse
                                                                                		high
                                                                                https://saucelabs.com/press-room/press-coverageTS Debugger.exefalse
                                                                                  		high
                                                                                  https://www.coursera.orgTS Debugger.exefalse
                                                                                    		high
                                                                                    https://klout.com/s/developers/styleguideTS Debugger.exefalse
                                                                                      		high
                                                                                      https://overcast.fm2TS Debugger.exefalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://medium.comCTS Debugger.exefalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.campaignmonitor.com/brand)TS Debugger.exefalse
                                                                                        		high
                                                                                        http://www.makerbot.com/makerbot-press-assetsTS Debugger.exefalse
                                                                                          		high
                                                                                          https://account.app.net/legal/assetsTS Debugger.exefalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://stackoverflow.com/company/logos-TS Debugger.exefalse
                                                                                            		high
                                                                                            https://asana.com/stylesTS Debugger.exefalse
                                                                                              		high
                                                                                              http://www.tripadvisor.co.uk/PressCenterTS Debugger.exefalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://stackoverflow.com/company/logos.TS Debugger.exefalse
                                                                                                		high
                                                                                                https://ello.coTS Debugger.exefalse
                                                                                                  		high
                                                                                                  http://corp.stumbleupon.com/pressTS Debugger.exefalse
                                                                                                    		high
                                                                                                    https://everplaces.comTS Debugger.exefalse
                                                                                                      		high
                                                                                                      http://www.nintendo.co.uk/TS Debugger.exefalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://www.atlassian.com/company/news/press-kitTS Debugger.exefalse
                                                                                                        		high
                                                                                                        https://commons.wikimedia.org/wiki/File:Telegram_alternative_logo.svgTS Debugger.exefalse
                                                                                                          		high
                                                                                                          http://www.imdb.com/pressroom/brand_guidelines/TS Debugger.exefalse
                                                                                                            		high
                                                                                                            https://www.conekta.io?TS Debugger.exefalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://brand.linkedin.comGTS Debugger.exefalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://hootsuite.com/en-gb/about/media-kitTS Debugger.exefalse
                                                                                                              		high
                                                                                                              http://metro.mahapps.com/winfx/xaml/iconpacksTS Debugger.exefalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://identitystandards.acm.org/TS Debugger.exefalse
                                                                                                                		high
                                                                                                                https://worldvectorlogo.com/logo/facebook-messengerTS Debugger.exefalse
                                                                                                                  		high
                                                                                                                  https://about.me/assetsTS Debugger.exefalse
                                                                                                                    		high
                                                                                                                    https://www.designernews.co.TS Debugger.exefalse
                                                                                                                      		high
                                                                                                                      http://bebo.com/pressTS Debugger.exefalse
                                                                                                                        		high
                                                                                                                        https://runkeeper.com/partnerships0TS Debugger.exefalse
                                                                                                                          		high
                                                                                                                          http://doc.jsfiddle.net/meta/downloads.htmlGTS Debugger.exefalse
                                                                                                                            		high
                                                                                                                            https://www.geocaching.com/about/logousage.aspxTS Debugger.exefalse
                                                                                                                              		high
                                                                                                                              https://proto.io/en/presskit1TS Debugger.exefalse
                                                                                                                                		high
                                                                                                                                https://overcast.fmTS Debugger.exefalse
                                                                                                                                  		high
                                                                                                                                  https://www.reverbnation.com1TS Debugger.exefalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://mspartner-public.sharepoint.com/XBOX%20Games/Xbox%20logoTS Debugger.exefalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://www.skyliner.io/help7TS Debugger.exefalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://mttr.net:TS Debugger.exefalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  http://git-scm.com/downloads/logos%TS Debugger.exefalse
                                                                                                                                    		high
                                                                                                                                    https://about.gitlab.com/press/TS Debugger.exefalse
                                                                                                                                      		high
                                                                                                                                      https://evernote.com/brand/color-palette/TS Debugger.exefalse
                                                                                                                                        		high
                                                                                                                                        http://www.systanddeploy.com/TS Debugger.exefalse
                                                                                                                                          		high
                                                                                                                                          https://buffer.com/pressTS Debugger.exefalse
                                                                                                                                            		high
                                                                                                                                            https://getmonero.orgTS Debugger.exefalse
                                                                                                                                              		high
                                                                                                                                              https://github.com/jekyll/brandTS Debugger.exefalse
                                                                                                                                                		high
                                                                                                                                                https://www.twilio.com/company/brand0TS Debugger.exefalse
                                                                                                                                                  		high
                                                                                                                                                  https://codio.comTS Debugger.exefalse
                                                                                                                                                    		high
                                                                                                                                                    http://getgrav.org/mediaTS Debugger.exefalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.designernews.coTS Debugger.exefalse
                                                                                                                                                        		high
                                                                                                                                                        https://sellfy.com/about/TS Debugger.exefalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.intercom.ioCTS Debugger.exefalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://lanyrd.com/help/faq/#brandingTS Debugger.exefalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://www.last.fm/about/resourcesTS Debugger.exefalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.digitalocean.com/company/logos-and-badges/TS Debugger.exefalse
                                                                                                                                                              		high
                                                                                                                                                              http://www.hulu.com/press/assetsTS Debugger.exefalse
                                                                                                                                                                		high

                                                                                                                                                                Contacted IPs

                                                                                                                                                                No contacted IP infos

                                                                                                                                                                General Information

                                                                                                                                                                Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                                Analysis ID:440454
                                                                                                                                                                Start date:25.06.2021
                                                                                                                                                                Start time:12:15:20
                                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                                Overall analysis duration:0h 6m 11s
                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                Report type:full
                                                                                                                                                                Sample file name:TS Debugger.exe
                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                Number of analysed new started processes analysed:18
                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                Technologies:
                                                                                                                                                                • HCA enabled
                                                                                                                                                                • EGA enabled
                                                                                                                                                                • HDC enabled
                                                                                                                                                                • AMSI enabled
                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                Detection:MAL
                                                                                                                                                                Classification:mal72.evad.winEXE@4/34@0/0
                                                                                                                                                                EGA Information:Failed
                                                                                                                                                                HDC Information:Failed
                                                                                                                                                                HCA Information:
                                                                                                                                                                • Successful, ratio: 89%
                                                                                                                                                                • Number of executed functions: 2
                                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                • Adjust boot time
                                                                                                                                                                • Enable AMSI
                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                Warnings:
                                                                                                                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                • Execution Graph export aborted for target TS Debugger.exe, PID 6460 because it is empty
                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                                Simulations

                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                12:16:16API Interceptor1x Sleep call for process: powershell.exe modified

                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                IPs

                                                                                                                                                                No context

                                                                                                                                                                Domains

                                                                                                                                                                No context

                                                                                                                                                                ASN

                                                                                                                                                                No context

                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                No context

                                                                                                                                                                Dropped Files

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.IconPacks.dllTS Debugger.exeGet hashmaliciousBrowse
                                                                                                                                                                  PS1 To EXE Generator.exeGet hashmaliciousBrowse
                                                                                                                                                                    TrBKmxvLQV.exeGet hashmaliciousBrowse
                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.dllTS Debugger.exeGet hashmaliciousBrowse
                                                                                                                                                                        http://download1.a9t9.com/kantu/kantux-setup.exeGet hashmaliciousBrowse
                                                                                                                                                                          PDFCreator-4_0_3-Setup.exeGet hashmaliciousBrowse
                                                                                                                                                                            PDFCreator-3_5_1-Setup.exeGet hashmaliciousBrowse
                                                                                                                                                                              PS1 To EXE Generator.exeGet hashmaliciousBrowse
                                                                                                                                                                                TrBKmxvLQV.exeGet hashmaliciousBrowse

                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TS Debugger.exe.log
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):226
                                                                                                                                                                                  Entropy (8bit):5.354940450065058
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
                                                                                                                                                                                  MD5:B10E37251C5B495643F331DB2EEC3394
                                                                                                                                                                                  SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
                                                                                                                                                                                  SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
                                                                                                                                                                                  SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..
                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:modified
                                                                                                                                                                                  Size (bytes):11606
                                                                                                                                                                                  Entropy (8bit):4.8910535897909355
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:Dxoe5IpObxoe5lib4LVsm5emdYVFn3eGOVpN6K3bkkjo5UgkjDt4iWN3yBGHc9so:Wwib4LEVoGIpN6KQkj2jkjh4iUxm44Q2
                                                                                                                                                                                  MD5:7A57D8959BFD0B97B364F902ACD60F90
                                                                                                                                                                                  SHA1:7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F
                                                                                                                                                                                  SHA-256:47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
                                                                                                                                                                                  SHA-512:83D8717841E22BB5CB2E0924E5162CF5F51643DFBE9EE88F524E7A81B8A4B2F770ED7BFE4355866AFB106C499AB7CD210FA3642B0424813EB03BB68715E650CC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                                  Preview: PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\AssemblyInfo.json
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):145
                                                                                                                                                                                  Entropy (8bit):4.550976904261649
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:YgrBjIrfYbW1JCFMKzNLVFNLVDK7W/JIAB6/JrLPIs2DP4:YgrVIraW1EPNXNwy/J/KFPTo4
                                                                                                                                                                                  MD5:401086B632B16B4F9CACD98631D33581
                                                                                                                                                                                  SHA1:7C2D4E5E90330C923AB8CE588FA43DC5FAA4A88F
                                                                                                                                                                                  SHA-256:995C4267B203195D1B3E21FC121057329A4A1C203E74DCDBBCC0F305075EFA67
                                                                                                                                                                                  SHA-512:82B5CC65D0D25AA4ECCA8BEBE2C77EAFDB2761D3DCB47AEA18F1C0BDA02B778D4158A67A0573D1AD3283B9671F0A93068C095AA282C7FB0891E7D8B7EE53C014
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Preview: {"EmbedFiles":false,"AssemblyVersion":"0.0.0.0","FileVersion":"0.0.0.0","ProductName":"","ProductDescription":"","CompanyName":"","Copyright":""}
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\CMTrace.exe
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):323664
                                                                                                                                                                                  Entropy (8bit):5.756828502066153
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:wc9s/u2VE4vdlZzEg0lSAF4VNrwB+BQmjMDXqmgPaJ:wz7/vdlZzcfF4V1E+2IPaJ
                                                                                                                                                                                  MD5:A50A0FA21B5E248840B2B4AF7F872A1A
                                                                                                                                                                                  SHA1:B332B24150A05B8AD51FD99249ADE879C8F8F919
                                                                                                                                                                                  SHA-256:3FDD967CA738927EC8E5415E74AA4513E714D9B62771A575406CABCB1F87CA3D
                                                                                                                                                                                  SHA-512:74D3B238A873D08F16D51E2305A356121028EA8C41F58028B87D35EBB5AA09A21C917477AC8950F4C6E60BB3EFBC494CD4054D20D52FEA9C37C7C19B22C5B8A8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.0.!.^.!.^.!.^.(..._.^.(...+.^..$%.4.^.!._...^.(...c.^..$". .^.(... .^.Rich!.^.........................PE..d.....P.........."..................`.........@............................. .......I....@.......... ......................................d........@..<.... ..........P.......P...`................................................................................text............................... ..`.data....>..........................@....pdata....... ......................@..@.rsrc...<....@......................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\Load.xaml
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):737
                                                                                                                                                                                  Entropy (8bit):5.149936309472776
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:49aDpem4+DJKf+DJIvDQ8DHVqSGCYQGYysvs8/PfRxWG5UODG0v2n:4sDsm4+4f+oDQmVqrCYQGYZpvmGL8
                                                                                                                                                                                  MD5:69CE892E186D7077902B61A24195D570
                                                                                                                                                                                  SHA1:366BD1DD5F15907C71BEDA2CECCDCA760EC3D35B
                                                                                                                                                                                  SHA-256:A1C42F5EE6FC592A75A1D4B4AAD93E5C2B3BB86FC4AA58A2AEEA60ADAA8C0E73
                                                                                                                                                                                  SHA-512:F6796BE193F70798B96B9380A83CE4C115E8F0FB15EF6B5FA61A584F493213C55FC56D461183821610C72A571E8DCC5D838E69CA2F70A60CB464EE28B5F7DA28
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Preview: <Grid. xmlns:Controls="clr-namespace:MahApps.Metro.Controls;assembly=MahApps.Metro"..xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation". xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"...xmlns:iconPacks="http://metro.mahapps.com/winfx/xaml/iconpacks" .......Height="100">.. <StackPanel HorizontalAlignment="Center" Orientation="Vertical" Margin="0,10,0,0">......<Label Content="Chargement du log" FontSize="14" Foreground="Black" FontWeight="Bold" HorizontalAlignment="Center"/>.....<StackPanel Orientation="Horizontal" Margin="0,5,0,0" HorizontalAlignment="Center">...........<Controls:ProgressRing Foreground="{DynamicResource AccentColorBrush}" Width="40"/>.....</StackPanel>.....</StackPanel>..</Grid>
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.IconPacks.dll
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4902912
                                                                                                                                                                                  Entropy (8bit):3.540666693038313
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:xsBavhh5DcwTLLKACX2ydYO+2dlj+HKvhH85PklnAQKvY7LJb4oAPlPjeUU90Qv3:xxprDcE+jyzhmMXx6T
                                                                                                                                                                                  MD5:E2689EE8F7C54CE73D0EE6F8A22B76C8
                                                                                                                                                                                  SHA1:D1FADAC8EEAD2C75AE1058508E95C672A251B70F
                                                                                                                                                                                  SHA-256:D554299000017553CBA1152E44872F3D2327F81597D11B6B53BFFB5CCE399581
                                                                                                                                                                                  SHA-512:56C949C2DF1BB9F0ABA78BA38468657196998D1290937BAEC05F0C7C9A3D9AC10476E353C321B4849CA6254A2AC552B8BE2F0D217DD461019CEF2D065B0A6E05
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                  • Filename: TS Debugger.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: PS1 To EXE Generator.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: TrBKmxvLQV.exe, Detection: malicious, Browse
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(..X.........." ..0...J.........".J.. ....K...... .......................@K...........`...................................J.O.....K.H.................... K.......J.............................................. ............... ..H............text...(.J.. ....J................. ..`.rsrc...H.....K.......J.............@..@.reloc....... K.......J.............@..B..................J.....H........X...=I...........J..M..........................................>. 4......(....*2......o....*:........o....*.0..,........o....r...p $...........%...%....o....t....*&...o....*..(....*...0..........r!..p.....( ........( .........s!...("....#...r+..p.<...( ........( ...#.........<.......$...s%...s&...("....'...r=..p.?...( ........( .....?......(...s)......*...s%...s&...("....+...rG..p.....( ...o,...(-........rq..p.<...( ........( ...#.......?.<....../...s)......0...s%...
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\MahApps.Metro.dll
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1146368
                                                                                                                                                                                  Entropy (8bit):6.24730870619931
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:Ruj4mZwyXFep6P6WOT1yp8ZWZI2NWxV/AHUG:SwykkkZWZ+xV/FG
                                                                                                                                                                                  MD5:A1B84E1D85EF46E744E0A492C73CEFA1
                                                                                                                                                                                  SHA1:492240E4796D1F7B62F16B90C530BB2BB1FEB3BF
                                                                                                                                                                                  SHA-256:F1A8D821A17D9A38C878B6239F1C142F04495607AD17457022EF58796C127D51
                                                                                                                                                                                  SHA-512:813A63572FD0682BA57DA714402DE7FF8F250C535A0238711E6CEAEEE7BB482360E1CFD2A4BFE40D59756FF12598CA3750DF9CB34DD756E29E4E197AEA7F1B88
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                  • Filename: TS Debugger.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: , Detection: malicious, Browse
                                                                                                                                                                                  • Filename: PDFCreator-4_0_3-Setup.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: PDFCreator-3_5_1-Setup.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: PS1 To EXE Generator.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: TrBKmxvLQV.exe, Detection: malicious, Browse
                                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......X.........." ..0..t............... ........... ....................................`.................................`...O.......$...........................(................................................ ............... ..H............text....r... ...t.................. ..`.rsrc...$............v..............@..@.reloc...............|..............@..B........................H........ ...;...........\...3..........................................>. 4......(O...*2......oP...*:........oQ...*.0..,........oR...r...p $...........%...%....oS...t....*&...oT...*..(U...*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*....0..~.......r!..p.....(V...sW...(....r9..p.....(V...sW...(....rW..p.....(V...sW...(....ru..p.....(V...sW...(....r...p.....(V...sW...(....*...0..9........sX...(Y.....~Z...([...-..(k...-.*. .....s\...~Z...(....*^.r
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\Run_PS_Wizard.ps1
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):118
                                                                                                                                                                                  Entropy (8bit):4.898716652577981
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:SDqlCVJALJJFL2h72TLcBxovVbSJJLNyWRSAHRImeVERmuHSa:SDqlCXA9uhyTLcBQGnyWSAHR8CHSa
                                                                                                                                                                                  MD5:C06C18BDB893042A8216C9B93B163974
                                                                                                                                                                                  SHA1:A3AF42435C2B2FB6EF921BB7240D989F9549053C
                                                                                                                                                                                  SHA-256:A4891FC1FECCD209364ECFED7A5369D8208205D9F6B8C115234DD934F0CC3453
                                                                                                                                                                                  SHA-512:5E348F871C7D9CCEBB2B7F4264F02509FDA5B9398654944A1A0F3B19B5A04CFFDADEC15F6D25E8E55C15F51DC934653D9B95A7919A86DDF91ED92031E3FF0792
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: # start-process powershell .\MDT_OSD_FrontEnd.ps1..powershell.exe -sta -executionpolicy Bypass -file Quick_GUI.ps1....
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\System.Windows.Interactivity.dll
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):55904
                                                                                                                                                                                  Entropy (8bit):6.299047178318044
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:BYQaIZaEmaOQxn6JxKjtlMZAnuETAV+w4:aIhOQcSLAj4
                                                                                                                                                                                  MD5:580244BC805220253A87196913EB3E5E
                                                                                                                                                                                  SHA1:CE6C4C18CF638F980905B9CB6710EE1FA73BB397
                                                                                                                                                                                  SHA-256:93FBC59E4880AFC9F136C3AC0976ADA7F3FAA7CACEDCE5C824B337CBCA9D2EBF
                                                                                                                                                                                  SHA-512:2666B594F13CE9DF2352D10A3D8836BF447EAF6A08DA528B027436BB4AFFAAD9CD5466B4337A3EAF7B41D3021016B53C5448C7A52C037708CAE9501DB89A73F0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W."Q...........!.................... ........ ;. ...................................`.....................................K.......................`>..........H................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......,O...`..........pD......P ......................................g.=d.N:..K..=mU.....M......^.....@........h.pX..9.web.~M}.R9 l9..2.....1S...{^..Pn....8.6k...S.-.K..$uXpy....t.'.%u/...+VC6.(.....{....*...0..&........(..............s....o.....s....}....*...0..K........(.....{....o........,3..+&..( .........{.....o!............*..X...(....2.*..0..L........{.....o"...,=(#...(..................($...o%.......(&...o%.....('...s(...z*.0...........o).......E............d
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\TS_Debugger.exe
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):14920192
                                                                                                                                                                                  Entropy (8bit):4.959699552056395
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:3Mz7ZQJ7iC93wykkkZWZ+xV/FGhoDTqVtMz7ZQJ7iC93wykkkZWZ+xV/FGhoDTqf:3KyJWCQZmTKyJWCQZmpO
                                                                                                                                                                                  MD5:098D977EB44708935120B21176FC8FAF
                                                                                                                                                                                  SHA1:35CC85E8A03CB17033903B79D08DD03E380B0F15
                                                                                                                                                                                  SHA-256:A0AC0A7902235E07339ECC6B38347E89E581954D5C0C64200CF6FE94DD5E4176
                                                                                                                                                                                  SHA-512:170DB857AA0992E268774395C924F4AF7EF6E5528453F1A5182E0ABE43ED5235FDF64A4A31DD215B1DB6CE0D77CD6F2C9E5D3B6184CCC01821DD260AF46D7FFA
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 10%
                                                                                                                                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._.....................(........... ........@.. ....................................@.....................................O........%........................................................................... ............... ..H............text....~... ...................... ..`.rsrc....%.......&..................@..@.reloc..............................@..B.......................H......................."...n...........................................0..S.......(......o.....(.....(....o....,...(.....r...p....+l.r...p.......(....(....(....,..r...p.......(....(.....(....+$.r...p.......r...p(....(......(....&..&...X.....r...p(....-..........+`..........o.........(.....s..........o......o......o........,...o.........,...o........X.....X.......i2.r...p........+".........r...p..r...p(.........X.......i2.s.........o.......o ......(!...o"...r#..p(....,)..r-.
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\TS_Debugger.ps1
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):29441
                                                                                                                                                                                  Entropy (8bit):5.3188412784773265
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:lTPneUASEChLEVTcpRj5aLruQPQzn1k1ECC48r4kVOe2s0PUr:ZnevXV8h+VPdhOt2u
                                                                                                                                                                                  MD5:71F962D72BA6EB7F82CE578E6C321A90
                                                                                                                                                                                  SHA1:D15FD0D85DD4551CF7A4DA008C5FD70FBADCD7A3
                                                                                                                                                                                  SHA-256:9F3FA47E9F996BDA9EBD5918CE71F4B27034248C8452C5015229299A763659F4
                                                                                                                                                                                  SHA-512:615DFECA061AB8C4991509F460DEF52447B321B1C1CB5EBE3354878F284A6219296106696C9D7C8EB88E80D22B1A3F3BC4F6601D530854B3EC7A00F8FB20FE31
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: #========================================================================..#..# Author .: systanddeploy (Damien VAN ROBAEYS)..# Date ..: 12/11/2018..# Website.: http://www.systanddeploy.com/..#..#========================================================================....[System.Reflection.Assembly]::LoadWithPartialName('presentationframework') | out-null..[System.Reflection.Assembly]::LoadFrom('MahApps.Metro.dll') | out-null ..[System.Reflection.Assembly]::LoadFrom('System.Windows.Interactivity.dll') | out-null..[System.Reflection.Assembly]::LoadFrom('MahApps.Metro.IconPacks.dll') | out-null ..[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")..# Add-Type -AssemblyName "System.Drawing"..[System.Windows.Forms.Application]::EnableVisualStyles()....#########################################################################..# Load Main Panel #..####################################################################
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\TS_Debugger.xaml
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):21575
                                                                                                                                                                                  Entropy (8bit):4.995639671453966
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:k4S8c52D9kq467HPvL467ONCDJ+JNJ6JKJSjurG0YTv2U32/VznaugH/JvNJeNmP:xSUja7ItzRl
                                                                                                                                                                                  MD5:2F9EBD8DBFBA3425089ED577D83FB8BF
                                                                                                                                                                                  SHA1:2BAFBB4A7369BDFDAD6EBA5F14F79BB73762B238
                                                                                                                                                                                  SHA-256:2B694E84532A027E33D223524904534E6965A75D80E2389402837A111CCC875F
                                                                                                                                                                                  SHA-512:053E692E9680A95100F99AA428B5980802E596D8A65FB5EF07867352EA35F015AE60B83A2915BBF112B2269FE542B95772B28FBC732FA7AE4A14D1C92E104A4A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .<Controls:MetroWindow.. xmlns:Controls="clr-namespace:MahApps.Metro.Controls;assembly=MahApps.Metro".. xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation".. xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"......xmlns:iconPacks="http://metro.mahapps.com/winfx/xaml/iconpacks" ...... Title="Task Sequence Debugger for MDT - v1.2" .... Name="MainPanel" ....Height="320" ....Width="700" ....WindowStartupLocation="CenterScreen"....ResizeMode="CanMinimize"....WindowStyle="None" .....BorderBrush="Blue"....GlowBrush="{DynamicResource AccentColorBrush}".....Topmost="True"......> .....<Window.Resources>.. <ResourceDictionary>.....<Thickness x:Key="Tab_Border_Thickness">0.7,0,0,0</Thickness>...... <ResourceDictionary.MergedDictionaries>.. <ResourceDictionary Source="pack://application:,,,/MahApps.Metro;component/Styles/Controls.xaml" />.. <ResourceDictionary Source="pack://application:,,,/MahAp
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\cmd.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):15258
                                                                                                                                                                                  Entropy (8bit):7.637754851189673
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:+4s3ZdJ0ayocpws5nH9z/nSMyGjjwolG1mDKbCC2:+4s3ZDcpZH92PGj/G1dbF2
                                                                                                                                                                                  MD5:AFF4954E12F4F2A299A3C763A1679773
                                                                                                                                                                                  SHA1:839B486AFD50515A78F6ED8A84DF3E0E35910BDC
                                                                                                                                                                                  SHA-256:BD3A94027CDC262AAE78B76E76579D7EEFCD5B19C602F546ABA0C73970B670D5
                                                                                                                                                                                  SHA-512:EABF23A331C9CD978ADA1BAE86FB1C9E758979EADC1B65A46B12FE65A0EF2E8D9FF44A6D37D02246C57D4C01EE8C1EA96A9A0CD1DD3D2D4B54799C6E1E42BEF9
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR..............x....;aIDATx......W}..{...3.k].%Y.e.61F6`.2r..r\`%-)...R..86...ae%RCh...........$....J...S^v........p.@..t...W.4.{.9{..Yk/@:.#f....?..37../^.x....u.e...X0.<......._^..<x............u.rD....}.........[.?^...1..........o..z..D.a.d...............G.............=m.}cuua*.....^X.?.......7{o^]4...................o.......0................7...o..S......I.F;.xxxxxxx3.........Y...rV6.........k`..h..F.9...........K..... l:G ..`....................:.....l<<<<<<.<.Q.A..h..+.......K/7...t...L2]!_.......]O7.im.....=..?.......^...>.....<<<<<<.vw.........7.o.'.........<.X9xxxxxx.?+........ge.........l<<<<<<.................s1.[.............o=IP.........>..V...<........u.....7................D=.7..._.Y._...laV6......_.Pc..h..FF...........R....................t... .;....A7.)+.......;O....@R.....b.|.+.......?/7...t...$.g.be......... ..s....G...........[].g4.!..W..E.s.x....?K..s.4.E../..F/.B..../......\...H.T.<<.^z/...r<[....ir.....].....^.
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\crash.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):16611
                                                                                                                                                                                  Entropy (8bit):7.7909539066681175
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:nd8sBTeh6MuhQfPeR9p62maYmChkmuHaQFwLGp2PwzxuKJhfL:ndbZMNHeRXmaYJhhuHaYMYzLhfL
                                                                                                                                                                                  MD5:3452EBA8C39470937510D54BE2132000
                                                                                                                                                                                  SHA1:EAEF29A728AB2236B300533DE34ABF7C3D67FA2B
                                                                                                                                                                                  SHA-256:A2940625FE958FAEFCD739D8E9C92CB7C4F7642F8F0993C646EF33DA8DD9CE3B
                                                                                                                                                                                  SHA-512:7FD83A2636EC7BF52DF0F74A48A7F08AF508E0D5BE5C7F65076BCB662BD1A3ABCFE55D59AC230ADC41065D5BB4A0ADC0CF3E036EB48773052147FC65B8D34CF8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR..............x......sBIT....|.d.....pHYs..........+......tEXtSoftware.www.inkscape.org..<... .IDATx...y.%U}...........t.....0.......h..h41.\X..5j... F41.Qq....}.....5.AP..E.q..`..}...nU..G....3..N.[...1.a..:.....N..........................................................................@z....5l..T..?2.E.:S.2I=...K...................m.Q.P.0...... J......../.x..Z..y..@sZ.vm.-.....!#..b.Gk...]......o.........:K]?...%.\...l..k..."....pX.l.J.K.3\..$..U?...W.......s.y...+..I...H....7.t.)....B...Xk.2....w]......R.....[..],....@. .`V[.n]`e... .....A....k.QR..:..`?.Z.....u..N#.J.u.).~.4=...)../.......hj......v]..Z..@.#...Nw]..f..@.".`6...........M....&.~.4...fSp]......&C............a?........~.4....D...h.........v........j........Z........R........F........:...H....*...H...."...H........H........H.....q].k/....a.>....P+et..y.z%.$..V..u.f.K..v....z............Y.,B5I.%..c..Z.]..{.|.E..;..L.t..k[.b}s....F:E.}....,.;....m^..S...F.Q]9.}...`...H?.=...x.].
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\devicemgmt.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 300 x 300, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):56034
                                                                                                                                                                                  Entropy (8bit):7.989557064665768
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:GlxttVj2wBQYs0bYDaCTa+jG4NmzhmVvmh6a3BeMMMMMh:GJX2sxSDWKG4Nm6+hrsMMMMMh
                                                                                                                                                                                  MD5:F8070E6B6779254AC41ECD597D48A821
                                                                                                                                                                                  SHA1:DA54F84124AFE8E312F0CF966DCCE7A0DA33B43A
                                                                                                                                                                                  SHA-256:DC46D18FE1CE2B1F0DA121CF4188C996114E00A48E05885FFC903A4DA6C2DB2F
                                                                                                                                                                                  SHA-512:16CA660A145031C2FCD6F7A9303E642EB209D67205E671E4B0D0A9329850BA129008D3B8A1DDBB187DE130B6BF4FE5574A3E7D8DD5ECC32CBE0469CC1A30F649
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR...,...,.....y}.u.. .IDATx..{.$.u...czfz......ww.>.....A.&@...&)F.+J$E*9.J9...8....rU*);)W\v.%...R"'...hK.#.E.$H.$.............==.3......._.<.]. ....5...o.s.w....P.D........J.(Q.(..D....%a.(Q..$..%J....U.D.C...J.(qhP.V..%..J.*Q..AIX%J.84(..D....%a.(Q..$..%J....U.D.C...J.(qhP.V..%..J.*Q..AIX%J.84(..D....%a.(Q..$..%J....U.D.C...J.(qhP.V..%..J.*Q..AIX%J.84(..D........J.......$.' .....c.c.2:.......4.o.Bg{..[..)........?.....J.E.}.%....\..........G.....9I...HJ... 6...s0.`..%Q...w.......v.Q.V.w....o$..y.'.....cNRA+n#............i@=...{....)..p...m.&...Ii..$;@bU.......#D]......(.m.P.V.w....o$....#...;#D.0"r........@..P.J.z......UF,...}u....j...q8q....q.+.....{...w.b.&c.O~.$.w.%a.x[X.....s.Cn.9.D'q..0...1........Y"q.a./..j..$.b._.j...HH...0Jl.......p*....L.Z..;;P.o q:..]l>.;%...J.*1........h...^..@..S;.ef/....K....X.r*B|.m.:..B....@U....d!4$.. ^'....#dU.v7...#.0..q.$*<.q`6...j..k:.&..D....P.H7...T.m..$7..U"....D>~...y..........x.G.e'.@J..T.....
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\diskwipe.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 200 x 200, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):19174
                                                                                                                                                                                  Entropy (8bit):7.960082595788487
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:6OfdXSul9wsz7wbSoPJiqI8kf8L12w4Z2bPsqh2LWrlK3Ns:6KdCF278lI87IwU2NOWpkq
                                                                                                                                                                                  MD5:F8C3F50931BC38D327BDABD864B15FCB
                                                                                                                                                                                  SHA1:873EB40D271601265D4E1EAC8E8530762F6BD50B
                                                                                                                                                                                  SHA-256:EA8EDBB176E02086E547C6BA96D7F452E2DB5C0D609EDD102C1D9B4B58FBEFB1
                                                                                                                                                                                  SHA-512:65C0689BBD8FD2BE01953A281390AC0137254D04C660C9A78EFD7E1419859A423B80AD68D1D42FE8D4338938A1F8B29A69555E7A33F11244B057975C51F6802D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR..............X......gAMA......a.....pHYs...........~...J.IDATx^..xT..........#u..Bi..-...-.....[p...@.`....Q .F.....(-..z.=;.3..|..}f2......w......2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!C...2d.!..Ef...M.....Z$...L4....;.n...m..s.x.c.D....>._%y....>......\...U.W.....F..{}..$..BS.].....&...%..L.7...(....s....D..Y..9.<....I0:F&.8~....._....OB#..."...~..S.\.'.9.H.w....J.a.);|4e..Qz.(.T...K.t.. W...2.q.J.!..g.('.r.......%...$......y..a.oe...l.}#......1.....Q...$..P...].8JY%.;SJ.3.1L..KN(.^..i.}Qf..;. CF.t.c..cO......q'..QV....(p.....T..N."CF.`.*.A..s..SR..-**]0......@...r.......d.x.q4~._.B.x...Q.....h...VNBz.d......H.s.h~h2d<.(... v.%.2...U.,.!]..$?Uz.X...l.K.....5..m~x2d<.....}.....SR.....@b-.."] .&]0..:...~Nyi.Nu..S..'.9....7..b.$k.D.a4C.q.H.%(j....X...< ..._..W.......].wO..=.;.......(..U.Q..(.!.I(-..+........."......
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\explorer.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 400 x 400, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):13744
                                                                                                                                                                                  Entropy (8bit):7.899336187984637
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:ClHv0pjikN8DA76NC6br5fHKO47D6A3WkGZiy:RpaNCYr5K72A3W1
                                                                                                                                                                                  MD5:4F53D85412A4DB4830D9FCCC5F4F7621
                                                                                                                                                                                  SHA1:E6C0397ABE706D57EFAE6022422AB1ED1BBCF504
                                                                                                                                                                                  SHA-256:EF6ACEB53E913BEE3529D2A22A55C6079C2DEC93782F1EE34016C22C22A5C272
                                                                                                                                                                                  SHA-512:1E2C81E8101602B5FEBFAAEF55C26F1C5A6965C3C04D572789415EA1E2F798C3A70591861295C9861EBBAD75BA9E5F59869CB9558AA28920B8631423570DF810
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR...............6.... cHRM..z&..............u0...`..:....p..Q<....bKGD..............pHYs..:...:........5$IDATx...y.+W}'...VI..~......v0&.c0......'!....!..d...L8$.......2$'C..<..1.p....B0x.........z.Vu..G..[.*..$uK...9z.V..Z...W..[.............................................................................................................................................E.....@..hz..?.7......A.......&.q...d......i|....5.";L.$D.....H..y_..X....q..:.c...X...A7@.!"`..M,.....a.~o...g+W]6W..I...=.1..w..A.P..P5..UE..Z.4[..}ZA..i.T......U(....Va..7TU..7Z.c..V..Z...P(.V....o.4...D|..9_f..s......T.f..T.F*..Z5.T...W#.'...{.....T|...D.[1.."._....}....."&...{.c .g..DD...........yb..E....b.}1"... ...H.F.#.1.....1"..H......M....._..o...O<... .y].vq........\.........z.s.....o5.."..........$..v70..M.6...s.s[.#.3.G5k....N....S:..%.^.0...._.@.1"0....}!.1....&..w..y]..H.{.A.>..>.?.. ...@....}....C. .|oE.....n....a"]3F.<.V......./...5........"C.....n......f~..{...`..g
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\logo.ico
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 1 icon, 256x256, 32 colors
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):270398
                                                                                                                                                                                  Entropy (8bit):3.454021913511292
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:aGKsHW2Ga/HzjfiwPya9VMvCsbQpDKsHqYZtA7GBwscYRwq60DaHLMkCkCtHMJCz:aFwWY/TuwPJ1q0q2A7/scQ00kdRCpm
                                                                                                                                                                                  MD5:B6FB80563E64E9BFF7C72B6257791AC8
                                                                                                                                                                                  SHA1:73BB1D58E674BAA52B0A94DE96AA11D4A66DFB5B
                                                                                                                                                                                  SHA-256:1A70852AA615525C7EE591D3C8BDEF6D5D8C8EE5DC9F6A55DE3ED8F77A9EFF26
                                                                                                                                                                                  SHA-512:6D9156100B2D2C34413C4F13E1880324B51EB3DF3A27DE9F9354706B601A1213F24E28702B70D119F25EA739A164D368F2B7C37CDA5A4A79473C5AC1892E8603
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: ........ .....( ......(............. ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\logo.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 518 x 461, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):36434
                                                                                                                                                                                  Entropy (8bit):7.975917561002013
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:O8fNeDiEMRO/rV0HzM1T2T24nvCqdjjZkHh9L2yUjYPrN0:OhDi6/ewJSZk7SB
                                                                                                                                                                                  MD5:F6269ACB98EB60E732222D8181C62249
                                                                                                                                                                                  SHA1:B1EE431AC7A28C9AD5708706928D22C23C4A564B
                                                                                                                                                                                  SHA-256:6601868A665A2CD9CFA69A0A895BD1E1745D538A8F6AF527D6F5198AF15FE310
                                                                                                                                                                                  SHA-512:3D26B71EDE151339828E32AF36B845C67634543786E91B1C4BAD30F963AC3A2BB4DE3BFAA0002F1029EE4F5580E8E0F2338A11663AA87034083326AE32B1EA95
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR.............e..J....pHYs...........~... .IDATx...y|T....-{&...H...T.....R.`..Z.*co....].Xk7k......Z..P..U...(&(.6a...&..d..?f.O.Y33.......9.=OB.y.<...*B..d//....VTVD:.!..Hb Dl.....'..l.6.VTZ"...".Ib D....X..!/W..q'.-...."fi"..."h./...f.b//).....kDB..%.....j....u.aI......@....P.$.B.1Ib D.....*{y.."..u2.P...y.?.........#..qDz...qA.M,.>...!D/.1.b....T.....(..B.7.1.bb........!hK...$1.bb..Q;F.C.kB..".Hb ..`.q{fI...O...11X..fP....,t..!.$.BL..Zn.Pr`//Y..^..".Hb D...K2<[&.D.W....x..9l..!.J..!"c1P....C..Pf_V+x..s...B..$.BDFo.*{y.........&2..a}.c.B..$.BD....#.O{y.`z.<..W. .....#\.1.%..!...9&!D.Ib DtX.gc#...{y.b{yI.pg.....3.p`..@.C......B..).,D...KF.....y...<7.R`...%......O,..\.....u...."h....!c$.C.N,,..C...jpO..kY.F..P..B..]...B.dy............."..%.c .../=.F.I..".....g...D:.!..$1.B...1.".Hb Dd.F:.qT(..B..I....x.Q..t.B..Hb Dd.F:.qv](7..B..$.B.3..CoU.':.5.".Hb ..[..."d......$1.b.y.A..R.Df...z...dM.-.."*Hb ....m.o.e..l.,D.Hb .8....&r..E.Qo.C.p...!.$
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\mstsc.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):8906
                                                                                                                                                                                  Entropy (8bit):7.477250019846302
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:YrGvufKTNemUSY5TZkhvImWloRdp2WfxByzQT92sIt8ciFbO3s:YKUsxUSY5Cv8lydpYzQx2htnoks
                                                                                                                                                                                  MD5:34736CFD9A430BDB61AF287ACAB26F20
                                                                                                                                                                                  SHA1:20575BC016628D99C75B345F06F0D89879830A97
                                                                                                                                                                                  SHA-256:6E65FB47BC3B191CD666A2AD14C8AC07BF0C86D849C2384349669E7DDBE458D5
                                                                                                                                                                                  SHA-512:7CD3B570ABC61C06B7DFC3D93E45FF90A99928B58689E9FE14BF8B7A3D90073EBC7165CF6A46BF566756CF26FD6CC6B830EED043E699685A53E7349A758EE68A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR..............x....".IDATx^..!k.a...stq2.. ..L61.-. ...I..o .......$.... ..l&..a`../p.....6.}..~.......|>....D................. ................... .........@................ .........@......... .........@................ .........@................ ..@................ .........@................ .........@......... .........@................ .........@...............`.V.J;J..m...1..p.m..v.]n...c{.....-..|....v...n..K.....v........m.....K.n[.{......m.!.x.........?....q........F....mh.....]. ..l...J.:.[.C..FI.p..j...,........B{.n.....7.......1..f{.N..!c..k-.`.=w.x..mk.#.{.....4.;G.la........T;..!I...w...$U.....SI.TOgB9.iH*....."..t.RL...0.lc...v....e./....e.#Y.#..a.+Tw2.....}.T..S.r..k....................\.....OI.G....jIwi..r9.._...jii..'nn...S..s.1N......u.]..K.j.%*......*%m.&...m.~..:z..6n.h....b........PZZ.[n.Ew.}.>..j..%.(... .pP.b..].?.....T.?.'..../.}.....h..I... ...~.....n.:m.Ua..~.O...,..&....u}......'.7..q.}Z$.TDCCCZ.f.].
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\powershell.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):8265
                                                                                                                                                                                  Entropy (8bit):7.823632639504042
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:PW2yGjcd9cnBuxnrph8WQG4upei6JT2wBREqkB7sEdheKk3xdIzg+P8j5l1GK:PWBdinunrphPD0i+T2akB7H0KYxdI0+w
                                                                                                                                                                                  MD5:A75FB8574D90B677B3AF147FE6CBA570
                                                                                                                                                                                  SHA1:AF7BD014022D65ECA89943863B5F19EA13DB2C2C
                                                                                                                                                                                  SHA-256:F54364C6EE16E1D6E7F5936BF03FAB7A3FF44EC962566212EB459C11DD6D4ED6
                                                                                                                                                                                  SHA-512:53AB47EEB161DDB08318C8B18D6EAF8E21909E92504C797BF080F7EF5F3F0919D40C92CA243B1E0E9B3C500E6A657DDF8739EF7EEDF2EC0D5E7E304C232A6133
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR.............\r.f.. .IDATx^.....0..Po..v.'p..A.p..8.3.....*.i...`.{...k9..-f......................................b...>m..6...l.z..u...k.......g...0.O.h..u./.,.r....<...s.B..jU....?....k33.~.I7......C4.1.!Z...Z6.......8......[.Z....lc..&..$j;fI..RS3..C.,,I./.l.....!...T..d.......T......m..C.0...".l.z.~us.4..^.{..]..Ra\*U.....2.'... ....B .P..N0..+.....W........4.....w./.].u.?.......E.#.....P......uI?..]U..Y......D=...C..fH`.>......a.Ia9...B(.J.#.......~_..'A?.i.....H.U....O...h.:A;.s...2.....U..Y..Qu.L.'...6L...p.!n.A.....n......)...S-.S..~...tZ.....!.o.9:.-G..O.......O...x..T........_:....d.4.IJ`|.0..y......h..k.....J....~.$T........^L..T....>...d..'.._...._..4.9>>.3..tV.....?....%.....s.'!.k.<.. OM.......z...P 5L....)t$...]$.....~..l......U..''..U.)..T......*..!O....?.+.t...N.be.jM.>.<-;.l.h....S..c.j.6.!O..![.z....z.P..U...}.. OC...B..tT...7A...1..*....Az.7I8......6A.C..a....}...zK....U...!..........-@.^u4...f.....+."..1.i.Ax%
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\regedit.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 200 x 200, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):24897
                                                                                                                                                                                  Entropy (8bit):7.980969703169688
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:QscwQyMMBMl53vqSGspXeaBBxPvSwNDSqZN:HJy13dpXJhfX
                                                                                                                                                                                  MD5:E3254848DA50A2CB49A425EC98F2B61C
                                                                                                                                                                                  SHA1:7FDACF376ACD4EA4C037BF01E7DC8D272B999167
                                                                                                                                                                                  SHA-256:1B3C10D24F877C777DE09D342890025BB3513143F6A87C7A867A57721AFFEDD6
                                                                                                                                                                                  SHA-512:138ABC1C99FD2C99BDF886612B84D3D6CB664100CD5FBD38A2A6BC0D6D2705AECDE583AE7D2338F48F9BB113D05F8BFDDC9EC25535A69E2060449E2FC082B4D3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR..............X..... cHRM..z%..............u0...`..:....o._.F....pHYs...............`.IDATx^.].xTE.ww.!."RD........X.%....],4.@z'.w.7.. 5...B...`E...9.yg...ei).r....e.y.33w.b..+..[..c......n.....x.#:...!..Rm.....,k.k.......rF..~....V!p...i}...{>.%...b..#.G....i.(..M.j...y........CjD..a.g*.....9....}..*...n..}..C......['.8....C....G.{..$$...LR..%..,r....f.T5&ez...!..NjS..Iu...1.#....>..}.{.....|..5^..\-F*).ivD0i@..,&L.U..M..R~7.nY..m.....z...U..7..W..[P...S.:.gb.'...M.Y.i.NR.......,..L.&KL...sx.!K..5n!.F.2c_...V6h.......r.....?.{..]P..:|.$/'..U..^.$:.,..HW,.@....u.=,!...-+.....&...Q..-...b.+.}....i..qt....V.3.#.,?B.0v..]-i=.....bp.b..}...N;n...a.H.\+.!.\...:-.N..k...Z9..g...^.?..xD.%E.'.e........C..C..,|V+.!.\sb}t......rE.g....*...1....d&J.PC.....,$i.I.4..[.....o{7..V.C..v...ot.9}.....p1 h.f..d.fK..$.?O.5$.&I........`a...Ijxz.M.v.!".V,C....%.6.S....q...W.;.......3A..#.`..$..'.3"..cT...kE3..[....._.{.`WvW$..`E:f..-...9.u.[u.
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\restore.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 512 x 362, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):109280
                                                                                                                                                                                  Entropy (8bit):7.985735897675795
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:FJ6ziO6UvWOGDUQM4kZP3DZIURRcc30lT/c:iziO6UvWu46ljRSlTE
                                                                                                                                                                                  MD5:BFDC28FC53C601D4ACB61B39A6834F39
                                                                                                                                                                                  SHA1:0350DAE4136F3C6BD876AC99954F07E9E3735CA7
                                                                                                                                                                                  SHA-256:E2B679AED8227A9261374473DF65DDDE8B51D1449C22B29A4158E76495451D8D
                                                                                                                                                                                  SHA-512:533746C6F1838C6AF317D67219FFFCF621829EA3BB77700D5C84F32093F8E6FA0A057BA1B036BF153B183E4AEED258C77D844964D4C29A9B61CD61D162E861A1
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR.......j.....l..[....pHYs................EiTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="adobe:docid:photoshop:17504b4a-86cf-f744-b5fe-52c57d8b89dc" xmpMM:InstanceID="xmp.iid:733c357a-7d8f-e247-9fce-1660b158563b" xmpMM:OriginalDocumentID="EF9FDAA9A13C2E24042C162B94FE0F94" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCP
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\round_english.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 64 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4616
                                                                                                                                                                                  Entropy (8bit):7.917109931167327
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:VSxiyJEHEeleVVvwo2THRMHDHN0JXjZS7DCxxPkkz+8EfdtX5lFXXg:VS4CSExVVvwlTxMjHN69FPkkzEdQ
                                                                                                                                                                                  MD5:18126FEEC380794B3EE3CF2341F8646C
                                                                                                                                                                                  SHA1:D62D3D06CC282D716981B00462E0DE6F17925349
                                                                                                                                                                                  SHA-256:D88F23192BC10CABE23B071D55DA1D806203FFCA5CEB07327CD23317BEBC2560
                                                                                                                                                                                  SHA-512:CDD0D11E4FC23B498666AB3795525CB5E29E6AA1829D4F303D9D5A3DFB70147A1987100B6529676B946AD302D79223AEB68911DF95E73EDFB202558BBCB596B0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR...@...0......K|.... cHRM..z%..............R....X..:....o.Z......bKGD.......C......pHYs.................vpAg...@...0........IDATh..ip]....]O.%k...}7.x.....`.H...&)R5.f......LM..I.!.T*.@.f ,^..y7x..`.eIF......{~.-...T.:.t}..>_.s.t..O..9.T;.lG..0r"s....D.:w__F..u..F.0.H..f..{.^^;.n\....:.UdZV...g3...M..........;w...3.\....R\.".s.J..-*).^VUY1....WN.W...[).sH#l^...........1S[....9.~z..?.h;..E.{=@\k.R.=~.....k+.k....TQV.).ORYYA:.G$.x=}......$.....,=g......~.q....k.......?ytW....*......../*.^.......S&L.._f.....Fk.R..C..b.......R.4..1&.0>Z]Y6...j....I........m-M.32V|...`M..l.]0.[..uk....S."..7.4X....!....Y.!......i.2>.!0....j.. ......H.....?8zp...pU....."3n^}.N.?RQ]s.97....f|....e..a_..=o.. %...@.u.....R@^*....&v`.m..........;...Wt.+}q@....[..&.$...9.j....'..8N....n......\..2..W8n....d...~..0.;.N..V,T....X.v.`s......5c..[.H....?q....g.).x......|..<oP..s.<_....^_...U.2.j............0./..bu.t;...eE$..8.9Qj..8.H.n....
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\round_french.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 64 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3256
                                                                                                                                                                                  Entropy (8bit):7.872581426791816
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:VSx4KYSnrUBYr6TE5B40eXs2RGmasHfd3G:VSuKYSwB4+E5B40eXDRjasHV3G
                                                                                                                                                                                  MD5:4A466045DB5B622DFB57818E7815F9D3
                                                                                                                                                                                  SHA1:DE5F73C3D008FA23F5A5CB285152D7B5BE5D4F0B
                                                                                                                                                                                  SHA-256:EEBEF69273DC1E9637B347A57BA5FA196037AF3CDDCFB70FA4A712C4FB73EAA0
                                                                                                                                                                                  SHA-512:C6B9D5093EF640FD0FC928C38048B5B7D0C247BFF8DAF9BD818CFE43A1076458BE2CB84B6EDC229D34B9B00349A8D9BF86C5B27629B28537658C423F1BF8E735
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR...@...0......K|.... cHRM..z%..............R....X..:....o.Z......bKGD.......C......pHYs.................vpAg...@...0........IDATh..[l\.y..s;g....")..,.d...m...v..u.(.Q..C...c..O.K..m..F...C...M...%A\.Q.$j$!...BR"%..iR...L.../2.,...E...............o.U..>..f?......^.@Z5...u..>>v.j.UA..O>.d....`...`[[[....Z....$.,//....NNLL......8qb.R.,...-0........G.>....}...'v...Dkkk...Ec.TJ!D.s.4M..8]^^^.....~...O~x.......6vi....D..H...{..v.q...../|..{....Ji..u..ZK.$......?}..._...../........)M5....w....\....6<..........;....H).B .@V...]... u.S...R./.W...;.q.\....?N..`.;...K.O.q../.}.....N)...t...9~..k..>K..pu.|g.......%O...}..t...]...Jh....C......s...=}....>...'p..m......`.....XT.G....\...N.....&.\o.B#....=.;O%..s.;v..}`..h...........h.m...3.K..$...;:D...zS{dg...~0qy...[. .s...z<...sj..?.O!..#K.@.Z....:.....75..8.H-"......A@pm....m=...r.-.........~.>....|.u__o....rJ%.T.0.DQ....Z.B.C.A.#..Q...E.==.._)u~.7..../[...u.=....?\...t...H..9.9_3..
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\round_german.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 64 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3103
                                                                                                                                                                                  Entropy (8bit):7.856599505811347
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:V/6x43wsv1gcPBvSL1m/nA8T80QHMxvndsh29awVLM6gYPAXBPR8F+I2gonAEe:VSxMwsv1g7b8PQH2LZgJ8AIP
                                                                                                                                                                                  MD5:2B6354A52B9464F9A29D8E678BB64C77
                                                                                                                                                                                  SHA1:A0CA9DA3587BDB224B3B0FFB853A97FBBB8FC486
                                                                                                                                                                                  SHA-256:53A66A91B7A856F51F45C94A806743ECC511EFFAD58A6AF58426FE055C49B920
                                                                                                                                                                                  SHA-512:FAD7E98EC038263CE4DF9D4DACDC8443C625DB42DE21FFB8CEA30DEF2675CA0FB3F42670FC5FA1D5920567D5B877E50B896A3D0BE761B9338945460780A8B4B0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR...@...0......K|.... cHRM..z%..............R....X..:....o.Z......bKGD.......C......pHYs.................vpAg...@...0........IDATh..klT....g.>.......Lx.....N.."m.*...R..i.I.J...T).....U..JE....V.>R...$@x..........3s...y..A.:.......g.w..P.>....~... K&J........z...;.@...H".........#....Bn.eY!.....y.H..Kf2.......+CJ... ..c!....B..-iO$...H$.nii./...54,..F...H.............R...........#........ .....rV.h.hjj....s.U.Z[..X..RZ`....Wu..C..J@....$...==.N%.}o..N.u.b........@.d[[k.E...x.3.6l.j....G`...f.....~NT.A "H) ...d.....'O~zldd.........QL...+..`._.f........e[x....6.ZO..*.KT.BBJ.Tj..........y.3g......\..@.M..b._lo_....!.B.(.`..P.U..<..m!...........`......s...#<..k.W.*.......A.....R.J)h..h....l......o..s[..]znh(u.s....@..M.:.....3.n.....XI.|..L.....,.B4.EooO.0...,=><..m........H.21..Z.r5.k%<.X......AMA....d2...O....MM..].222.... ./_.8....Ng.a..q.&X.....D.L.Z.H).......h4...}?...j.`.(..8....\fG6.Cc.b..|>?.W. ..!.n...8..y:.o|......
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\round_pt.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 250 x 250, 8-bit colormap, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):9445
                                                                                                                                                                                  Entropy (8bit):7.923314797626645
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:01GLm2Csz3nxPUuTsWoblDFQ28z6et4T5RSXDAmHkOfjCA8WCd:RXxPUzWwlRMzOuDAmHkOfu9Ww
                                                                                                                                                                                  MD5:77646B9819FDF2129666ECF2384628DB
                                                                                                                                                                                  SHA1:C78C063D9F7C766EEA3724D0C2C31BA6140DC9B8
                                                                                                                                                                                  SHA-256:86C47E2F155C90D215EA109BFFF1C3EE05FF07809671E0E8E63C15BA6BA9CD8A
                                                                                                                                                                                  SHA-512:96C833C7789C900EC67F2DA98CD04A3E19880E280F3B23CF1D91286C96E7100EF8088D2254EBEB3EF2671B23FA28A87E51196FDB4583D6D1288172751041F532
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR..............2......PLTE....f........f...........f..f.................f..f.....f..f.....f........f.....f..f.....f........f..f.................f.....f..............3.....f........h........2..m.....Q.................V................................*.......................3........#......../..........................ll...........................*.....[....._..J..................................c.....................................S....w.z..........X..............9........O.....>....n..)\..,.......Ak......x....3......x...Qu.]t.1d..E..BB.p."S..)....v...i.t.zP..&....7_....q.v.--.......`.......Tu.,T.!M..YYwx.jY..;..i..d..F.u;.......d.....p..H.x......B...$....p.pm....Il.....wx..wd.....@^..Y.Mi.?e......g.ri..e..U...x ....y{iNL....5C.d/.`...@..W.....X[3\5.I.......PjQ G wx;....[J.../tRNS...4.....}..D.hDON..z..h......4..V.....)(...M).=...!kIDATx...i..@..`.AD..EQ.[.uz2....fc......*o..[.E.}f2..pQ.....~&_.+...."...../#........?Ev.F.&.Ya... ..........?.g...Xa..U. ....
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\round_spain.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 64 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3913
                                                                                                                                                                                  Entropy (8bit):7.903193462864077
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:VSxOE2vY6akGScexDeqesIcHXuSjvwR86z7w1Yvpq4K:VSkh+XqiZCvwRrz7UYR9K
                                                                                                                                                                                  MD5:DB5E2D8932ED15E43859CFC48B1C6577
                                                                                                                                                                                  SHA1:A9B883AB4C260F14D3565FDF1800D47C1C6B7D01
                                                                                                                                                                                  SHA-256:3EB5B84B0492769888D5976C66EAD65388CEE2EB2093D9771AB2DF2C97E7AEB2
                                                                                                                                                                                  SHA-512:A500B1A2E9E0370AD0D0514B1E43A9EBCCB4B689B55437B485B211826AFE1B5E19694C2192ACB97D01F362C83E765AC03FB704B7E45EB05C41EA6C4596E25FDF
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR...@...0......K|.... cHRM..z%..............R....X..:....o.Z......bKGD.......C......pHYs.................vpAg...@...0.......FIDATh..Yl\Gv.....v7...&.....J.mY.v..".2..c'.%.x&A.&..'...A......y.F...$OA..p`..........ey.-..FR.f.w...m..L;M..8.....r....S.:..DM~..|...@..&......h..7K...G..uU...tt.....H6.4..].H...(`|..+..bqpx6w.......V}.....B.. ..Dd_....;.\..~_{{..t6..oJ%...i96B*.L..{..b)(.f.....##.....~kd..7./.bp...+M.D.....z..=....X...7.:;#.D#R.....U8.......j>...`e.l..S...6>..K.}....+.Q..@m..ny....[Z.~.n.....(;..Z.6..%64.F...R.L....N~......./...Mqe.X..V....7o.....w.^...n.....-....x~(~.J........=.!..lV.d..-..}7 :.t....c3..'\+...<.}.......<.y..........f1.W|....>....1.mmN"7...\.ik=s|dx.ZI...........6.......[o..p.y./..@.Ur.....k...He..dDdt...Z....q...K..B.r....g;v..u.CX...q.....X.,S...9.,.+.G].hM..-......!....K...-[7.....Mk{.wwc\o~.~...+.N...F.."jt..9..`...|>66....C...6.G......@....,.._v..&^..4B).....fu*....8./.V.J..D..p......n...l.H"M...
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\round_us.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 250 x 250, 8-bit colormap, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):11684
                                                                                                                                                                                  Entropy (8bit):7.967915672505679
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:wLNEXONb+iZDKFNnm9gaxnilNDqQw3kBHPiUJfolb0WxYc14O6Nc1EktNv51CK3S:GN6iCFmSaJi3Dw3aHPPAlb0uykfVAZr
                                                                                                                                                                                  MD5:B5DEC0E96F51CC077699067A4D62AC70
                                                                                                                                                                                  SHA1:AFF83F590528E167E911EC6D70A8C4900AD37BD2
                                                                                                                                                                                  SHA-256:CC843ED770419B304F172CB3E3E6181A3000FF813F5E5768D373CC2973F1AB13
                                                                                                                                                                                  SHA-512:523B3CAC63E66B7DDB342AD601A52B8D19BBAB45A817A6AFFCDFB2B62B1C1B7BA241018DEF8A78061FB6FAA52B26AF29F80E4C377803358D4634D651AB215AFE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR..............2......PLTE...."298fx1O...98f87f."2...87f......^].."2."2."298f98f. 0...98f. 0...98f."2.!1...;:h98f76d... 0."2."2.!1:9g. 087f...87e..."2."2...$4."2...87e...!2....,......"2............>=j."287e."2...|{....w.........."2.JW...YX}.mw...GFq....9I."2...98fPO}TT.QQ~ZY.XW..<L\[.VU.ee.^^.cb.SR..>N^].kk.`_.aa.hg..BQml..ETii..R`.@P..?.M\.Uc.GV...54c.KYMLz...rq.NM|...nn.....`mGFv....[h../IHwts......'...t.KJy.7Huu.po..6F.We...2B.Yf.]j....cp.IX0/_..+...............(832b....}..................xw....zz........:9g......}|..-^........]h.3C......RQy......EEuCBn...........FEq>=j...............x..#3...-=...............................)([...mw......mg.YW}....................d].MLu.gt@?q.Uf.K\.....|{.yr.....cr...tq..CR.HV...=L.\g...\l..xw......{....!...MtRNS..........I......73..z..jN..N5 .E..F..g....zS-)...idWnZUA@...K..pM......<...*.IDATx.._h.q...d.!K.r.E..AE.=DP=...e..N.....0..........#...J...R.l1.\IAB$#.{...z.../....6..&........~
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\taskmanager.png
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):36317
                                                                                                                                                                                  Entropy (8bit):7.963880341599277
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:z8a32lGDpB/hOYhYj35IzF8qXXEdalw/pR0wnw3KvnXLOPI+m:z3GlGt3Yj30hXXGaO/pxhiPI+m
                                                                                                                                                                                  MD5:59D2A5D301F68C098FDA2E207B3C8C6A
                                                                                                                                                                                  SHA1:F0D24B78D904A18C8FE6B5BFE781551EB4548CF8
                                                                                                                                                                                  SHA-256:FE560386A2B093B454634F2A3D79D997F921C23304408ED99C38841106938EF5
                                                                                                                                                                                  SHA-512:7C70C6D0B647099B60F03B095D82815900657E8B75B87CE01EBB5FD7458D6E4451A9CBCBBCA4C530559CC2328C7DE4A18A49EB854D9B40C99028D22999966071
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .PNG........IHDR.............\r.f....IDATx..i.$.u.x2k..w...d7w."ERz..Y..%......+0..5?.0f....` .0...m.03...H.e.,=[~2.P...f.....=3c......Y...6...[UYY..q......|.#...G>.|.#...G>.|.#...G>.|.#...G>.|.#...G>.|.#...G>.|.#...G>.|.#...G>.|.#...G>.|.#...G>.|.#...G>.|.#...G>.|.#...G>.|.#...G>.|.#...G>.|.#...G>.|.#...G>..._......O&.....y.{....Z.....n~e...;|..W.....<..!.U|..j4n....R.|.T,.~..3.._^..[...I+.j.....2........&...B..%..........N..ht.0\...\........]..g...............#...h|...8..gq......DA..n..|...P(..b......>=...,-]ill,........k.....we......?...s.5>......G..w..|.k.......R..^._x.R....NG...^............}d....|....C./..zx....Y,...v...q....C....n.;s......O....|....6..}.CE..g.P...@...p....@^`.pO....z..^..@..~...q....@1..;....E.|.j...>..K......^.x...=..}..s....(.`..V(.(...4E=."a@.>.-..................,.T.H....ry.U..@.G...../.ZxsWE.\..w.s.#.....w\C...~.[.+.3......'..n....2.0<..j.BK..m....4.`..^...J|].;...C....'..x....3h..
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\Make-EXE0\ts.xml
                                                                                                                                                                                  Process:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):50675
                                                                                                                                                                                  Entropy (8bit):4.959772474445198
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:8ZYpKbTTRdfnfv/xM1dHYEFMcTvqmqy1YCnKtMegbyGYyT3qGOa1qipfJ5lqetp3:0Fa1Z0YBVL7ycJ3w+
                                                                                                                                                                                  MD5:9B1A1060EA87322612E8987EA60C7534
                                                                                                                                                                                  SHA1:1609DA626DC5A8440D44680DFE15F888B494CC08
                                                                                                                                                                                  SHA-256:26D09F21870E8E3ACC686BF067A566ED5D3A717116EC177DC4581F4B621B8B3A
                                                                                                                                                                                  SHA-512:2606511E0C31B15119BFE24754F1E0CBD8C6156BA3172D002329C3A2AC2A5D53658162B7482C418ACF04CADD95474F937A0601928B97B4EE43EFE6D6874FC247
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: <?xml version="1.0"?>..<sequence version="3.00" name="Standard Client Task Sequence" description="A complete task sequence for deploying a client operating system">.. <step type="SMS_TaskSequence_RunCommandLineAction" name="Check supported models" description="" disable="true" continueOnError="false" startIn="" successCodeList="0 3010" runIn="WinPEandFullOS">.. <defaultVarList>.. <variable name="PackageID" property="PackageID"></variable>.. <variable name="RunAsUser" property="RunAsUser">false</variable>.. <variable name="SMSTSRunCommandLineUserName" property="SMSTSRunCommandLineUserName"></variable>.. <variable name="SMSTSRunCommandLineUserPassword" property="SMSTSRunCommandLineUserPassword"></variable>.. <variable name="LoadProfile" property="LoadProfile">false</variable>.. </defaultVarList>.. <action>%DEPLOYROOT%\SCCM_NotSupported\Check_Models.ps1</action>.. </step>.. <step type="BDD_RunPowerShellAction" name="Run PS Wizard" description="" disabl
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ojolwkd.utm.psm1
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: 1
                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n31gxwrz.v5s.ps1
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:very short file (no magic)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1
                                                                                                                                                                                  Entropy (8bit):0.0
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:U:U
                                                                                                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: 1
                                                                                                                                                                                  C:\Users\user\Documents\20210625\PowerShell_transcript.745481.PpN4yTEp.20210625121614.txt
                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1300
                                                                                                                                                                                  Entropy (8bit):5.366833774999445
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:BxSApi7vBZRRJx2DOXiP9WdHjeTKKjX4CIym1ZJXgMY2uMKxBlaKy8d0:BZOvjZoOzdqDYB1ZaMY2uJdyt
                                                                                                                                                                                  MD5:77B726323D66858A41ACF06D885BF0A7
                                                                                                                                                                                  SHA1:B2050F5321AC53D79C9E2B2155A5B5B88F2B0E00
                                                                                                                                                                                  SHA-256:0055DF732C6DCF1FBFE75653500E2BFB9D2F208A778348AB1F38AF474A42E08C
                                                                                                                                                                                  SHA-512:9DCD4FCAE1BCAF0C4616CE6F49320467600D7E7A83339985E8CF88DE1EC27BDA4338800158D70805DB389592F68A580665E622587F6393384E912C6754468F78
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20210625121615..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 745481 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell.exe -executionpolicy bypass -WindowStyle hidden -file TS_Debugger.ps1..Process ID: 6708..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210625121615..**********************..PS>CommandInvocation(TS_Debugger.ps1): "TS_Debugger.ps1"....GAC Version Location..--- ------- --------..True v4.0.30319 C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089.....**********************..Command start time: 20

                                                                                                                                                                                  Static File Info

                                                                                                                                                                                  General

                                                                                                                                                                                  File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Entropy (8bit):4.959664160542963
                                                                                                                                                                                  TrID:
                                                                                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                  File name:TS Debugger.exe
                                                                                                                                                                                  File size:22380544
                                                                                                                                                                                  MD5:3e829fb863de2e9dd877b9f9f426a7db
                                                                                                                                                                                  SHA1:40521cb203d7e29f532be9b501e4a14131daedf1
                                                                                                                                                                                  SHA256:31f79f2de34cbbe52b7b9a531adb45df3766a7bf82df76fa0731d0303c62e678
                                                                                                                                                                                  SHA512:5d9c724683052bd4f4b860bad01275f51b0599e6516decf8649cf2af9884871b5dcb4677c3e08f471b1d61c932e24dc06d3740838d19841a63eb06e130baad17
                                                                                                                                                                                  SSDEEP:49152:jMz7ZQJ7iC93wykkkZWZ+xV/FGhoDTqV7Mz7ZQJ7iC93wykkkZWZ+xV/FGhoDTqD:jKyJWCQZmRKyJWCQZmTKyJWCQZmpOn
                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_.................VQ..(.......sQ.. ....Q...@.. ........................U...........@................................

                                                                                                                                                                                  File Icon

                                                                                                                                                                                  Icon Hash:0c0c0c17154db292

                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                  General

                                                                                                                                                                                  Entrypoint:0x19173fe
                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  Subsystem:windows cui
                                                                                                                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                                  Time Stamp:0x5F05C881 [Wed Jul 8 13:22:09 2020 UTC]
                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                  CLR (.Net) Version:v4.0.30319
                                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                  File Version Major:4
                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                                                                                                  Instruction
                                                                                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x15173ac0x4f.text
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x15180000x425b8.rsrc
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x155c0000xc.reloc
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                  Sections

                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                  .text0x20000x15154040x1515600unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                  .rsrc0x15180000x425b80x42600False0.153436175847data3.4725795566IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                  .reloc0x155c0000xc0x200False0.041015625data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                  NameRVASizeTypeLanguageCountry
                                                                                                                                                                                  RT_ICON0x15183880x42028data
                                                                                                                                                                                  RT_GROUP_ICON0x155a3b00x14data
                                                                                                                                                                                  RT_VERSION0x15181300x254data
                                                                                                                                                                                  RT_MANIFEST0x155a3c80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                  DLLImport
                                                                                                                                                                                  mscoree.dll_CorExeMain
                                                                                                                                                                                  DescriptionData
                                                                                                                                                                                  Translation0x0000 0x04b0
                                                                                                                                                                                  LegalCopyright
                                                                                                                                                                                  Assembly Version0.0.0.0
                                                                                                                                                                                  InternalNameTS_Debugger.exe
                                                                                                                                                                                  FileVersion0.0.0.0
                                                                                                                                                                                  ProductVersion0.0.0.0
                                                                                                                                                                                  FileDescription
                                                                                                                                                                                  OriginalFilenameTS_Debugger.exe

                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                  No network behavior found

                                                                                                                                                                                  Code Manipulations

                                                                                                                                                                                  Statistics

                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                  050100s0.0050100150MB

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                  • File
                                                                                                                                                                                  • Registry

                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                  Behavior

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  System Behavior

                                                                                                                                                                                  Analysis Process: TS Debugger.exe PID: 6460 Parent PID: 6092

                                                                                                                                                                                  Function Logs

                                                                                                                                                                                  General

                                                                                                                                                                                  Start time:12:16:10
                                                                                                                                                                                  Start date:25/06/2021
                                                                                                                                                                                  Path:C:\Users\user\Desktop\TS Debugger.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:'C:\Users\user\Desktop\TS Debugger.exe'
                                                                                                                                                                                  Imagebase:0xb30000
                                                                                                                                                                                  File size:22380544 bytes
                                                                                                                                                                                  MD5 hash:3E829FB863DE2E9DD877B9F9F426A7DB
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  File Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Section Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Registry Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Mutex Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Process Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Thread Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Memory Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  System Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  LPC Port Activities

                                                                                                                                                                                  Analysis Process: conhost.exe PID: 5764 Parent PID: 6460

                                                                                                                                                                                  Function Logs

                                                                                                                                                                                  General

                                                                                                                                                                                  Start time:12:16:12
                                                                                                                                                                                  Start date:25/06/2021
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff724c50000
                                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  File Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Section Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Registry Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Mutex Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Process Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Thread Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Memory Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  System Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Timing Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Windows UI Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  LPC Port Activities

                                                                                                                                                                                  Analysis Process: powershell.exe PID: 6708 Parent PID: 6460

                                                                                                                                                                                  Function LogsAmsi Logs

                                                                                                                                                                                  General

                                                                                                                                                                                  Start time:12:16:13
                                                                                                                                                                                  Start date:25/06/2021
                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:'powershell.exe' -executionpolicy bypass -WindowStyle hidden -file 'TS_Debugger.ps1'
                                                                                                                                                                                  Imagebase:0x7ff7bedd0000
                                                                                                                                                                                  File size:447488 bytes
                                                                                                                                                                                  MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  File Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Section Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Registry Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Powershell Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Mutex Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Process Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Thread Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Memory Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  System Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Timing Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Windows UI Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Process Token Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  Object Security Activities

                                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                                  LPC Port Activities

                                                                                                                                                                                  Disassembly

                                                                                                                                                                                  Code Analysis

                                                                                                                                                                                  Analysis Process: TS Debugger.exe PID: 6460 Parent PID: 6092 TS Debugger.exeCOMMON

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.666530262.00007FFA35A20000.00000040.00000001.sdmp, Offset: 00007FFA35A20000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffa35a20000_TS Debugger.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 8b06cbec0a73e30a261daba8fb2371122624b084d9e0ec0031c7240643ab0f95
                                                                                                                                                                                  • Instruction ID: 02d0831aa37006e72850e254d223686701d910735f91f53442219e3e76dacd84
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b06cbec0a73e30a261daba8fb2371122624b084d9e0ec0031c7240643ab0f95
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B02A430E18A5A8FEB55EB6CD8966B977F1FF9A300F0480B6D00DD7293DE29AC419741
                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.666530262.00007FFA35A20000.00000040.00000001.sdmp, Offset: 00007FFA35A20000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffa35a20000_TS Debugger.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 8d442ea9f19b9039e7114cf221cc0445ac2e8d6ed7986c1c199714d5cc4fece0
                                                                                                                                                                                  • Instruction ID: 0bb4ff9c87f94274ebb8ed5f9a6abc0ebead2fefb70ee10dfdd02e889d278d31
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d442ea9f19b9039e7114cf221cc0445ac2e8d6ed7986c1c199714d5cc4fece0
                                                                                                                                                                                  • Instruction Fuzzy Hash: FEC14030E18A1A8FEB94EB5CD4996BD77F5FF99300F148079D40EE7296CE25AC429B40
                                                                                                                                                                                  Uniqueness

                                                                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                                                                  Non-executed Functions