Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1531723
MD5:	31d649663149dabd99c51b71e60a4a91
SHA1:	f5f515e1818388c9360bde15a7dfcb265e86a812
SHA256:	2acb9052db5b304a822f8cd1169e31327e967e06ff78064997ea8a5003e783ec
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to many ports of the same IP (likely port scanning)

Contains functionality to hide user accounts

Found Tor onion address

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Modifies Windows Defender protection settings

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Potentially Suspicious Malware Callback Communication

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious New Service Creation

Sigma detected: Suspicious Program Location with Network Connections

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality to call native functions

Contains functionality to create new users

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 31D649663149DABD99C51B71E60A4A91)

file.exe (PID: 5232 cmdline: C:\Users\user\Desktop\file.exe MD5: 31D649663149DABD99C51B71E60A4A91)

cmd.exe (PID: 6452 cmdline: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7mmwpep245voy3fngkym99px3pj5vx36.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5592 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 2656 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 7124 cmdline: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

cwjk513wjc7a1mlgh3.exe (PID: 560 cmdline: "C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe" MD5: 319865D78CC8DF6270E27521B8182BFF)

73tsjpnle0jv48sgryqfs6ph8t.exe (PID: 6248 cmdline: "C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe" MD5: 7D1755E8E41A6C2F08D2FAEFFDF9DAD1)

taskkill.exe (PID: 5600 cmdline: taskkill.exe /F /FI "SERVICES eq RDP-Controller" MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3900 cmdline: sc.exe stop RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 600 cmdline: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3928 cmdline: sc.exe failure RDP-Controller reset= 1 actions= restart/10000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 6756 cmdline: sc.exe start RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 6876 cmdline: icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18 MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 1712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 5800 cmdline: icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

main.exe (PID: 2656 cmdline: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe MD5: 4E320E2F46342D6D4657D2ADBF1F22D0)

WerFault.exe (PID: 4556 cmdline: C:\Windows\system32\WerFault.exe -u -p 2656 -s 1188 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 3672 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 5268 cmdline: C:\Windows\system32\WerFault.exe -pss -s 444 -p 2656 -ip 2656 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

main.exe (PID: 2256 cmdline: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe MD5: 4E320E2F46342D6D4657D2ADBF1F22D0)

cleanup

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, NewProcessName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, OriginalFileName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5268, ProcessCommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ProcessId: 2656, ProcessName: main.exe

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 23.128.248.23, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, Initiated: true, ProcessId: 2256, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 9195

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7mmwpep245voy3fngkym99px3pj5vx36.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6452, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 5592, ProcessName: powershell.exe

Sigma detected: Suspicious New Service Creation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe, ParentProcessId: 6248, ParentProcessName: 73tsjpnle0jv48sgryqfs6ph8t.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 600, ProcessName: sc.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 23.137.250.108, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, Initiated: true, ProcessId: 2656, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49755

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7mmwpep245voy3fngkym99px3pj5vx36.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6452, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", ProcessId: 7124, ProcessName: powershell.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe, ParentProcessId: 6248, ParentProcessName: 73tsjpnle0jv48sgryqfs6ph8t.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 600, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7mmwpep245voy3fngkym99px3pj5vx36.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6452, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 5592, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 3672, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	ReversingLabs: Detection: 41%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.2770000.1.unpack

Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source:	Binary string: RfxVmt.pdb source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, Cw0MZxef.23.dr, rfxvmt.dll.23.dr
Source:	Binary string: RfxVmt.pdbGCTL source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, Cw0MZxef.23.dr, rfxvmt.dll.23.dr

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11506DA3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11506D5F NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11776D5F NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11776DA3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe	Code function: 5_2_00007FF64B933DB3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF7C1AB47A3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1150A083 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BD1883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11EC5BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126E57B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1A4F5203 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1A522FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1177A083 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 217.255.81.237 ports 0,1,3,5,7,10753
Source: global traffic	TCP traffic: 173.68.123.78 ports 0,2,3,4,5,25043
Source: global traffic	TCP traffic: 77.54.240.255 ports 14290,0,1,2,4,9

Found Tor onion address

Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/O
Source: main.exe, 00000017.00000002.2669826636.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000017.00000002.2668148330.00000157C5E3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000020.00000003.2796330606.00000142D8DAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000020.00000003.2796297665.00000142D8DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/w
Source: main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000020.00000003.2796330606.00000142D8DA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Onion-Location: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: 6rRRlGVV.23.dr	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: cwjk513wjc7a1mlgh3.exe.1.dr

Static PE information: Found NDIS imports: FwpmEngineClose0, FwpmEngineOpen0, FwpmFilterAdd0, FwpmFilterDeleteByKey0, FwpmFreeMemory0, FwpmProviderAdd0, FwpmProviderCreateEnumHandle0, FwpmProviderDestroyEnumHandle0, FwpmProviderEnum0

Source: unknown

Network traffic detected: IP country count 14

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 146.70.24.213:1125
Source: global traffic	TCP traffic: 192.168.2.4:49780 -> 91.149.236.241:26270
Source: global traffic	TCP traffic: 192.168.2.4:49781 -> 124.169.148.215:37472
Source: global traffic	TCP traffic: 192.168.2.4:49782 -> 77.54.240.255:14290
Source: global traffic	TCP traffic: 192.168.2.4:49792 -> 23.137.249.66:9520
Source: global traffic	TCP traffic: 192.168.2.4:49793 -> 217.255.81.237:10753
Source: global traffic	TCP traffic: 192.168.2.4:49794 -> 173.68.123.78:25043
Source: global traffic	TCP traffic: 192.168.2.4:49795 -> 80.46.94.241:9823
Source: global traffic	TCP traffic: 192.168.2.4:49801 -> 99.174.64.226:9448
Source: global traffic	TCP traffic: 192.168.2.4:50034 -> 50.100.197.208:11811
Source: global traffic	TCP traffic: 192.168.2.4:50039 -> 173.47.97.119:21732
Source: global traffic	UDP traffic: 192.168.2.4:28204 -> 151.242.80.51:29738
Source: global traffic	UDP traffic: 192.168.2.4:28204 -> 2.191.228.230:27119
Source: global traffic	UDP traffic: 192.168.2.4:28204 -> 85.236.190.252:13148
Source: global traffic	UDP traffic: 192.168.2.4:28204 -> 87.225.96.167:11115
Source: global traffic	UDP traffic: 192.168.2.4:28204 -> 2.178.241.192:9696
Source: global traffic	UDP traffic: 192.168.2.4:28204 -> 95.68.156.35:20185
Source: global traffic	UDP traffic: 192.168.2.4:28204 -> 83.255.145.146:20666
Source: global traffic	UDP traffic: 192.168.2.4:28204 -> 82.38.134.93:12701
Source: global traffic	UDP traffic: 192.168.2.4:28204 -> 62.210.85.80:17893
Source: global traffic	UDP traffic: 192.168.2.4:9195 -> 45.30.192.252:9368
Source: global traffic	UDP traffic: 192.168.2.4:9195 -> 45.126.126.80:13092
Source: global traffic	UDP traffic: 192.168.2.4:9195 -> 23.128.248.23:7777
Source: global traffic	UDP traffic: 192.168.2.4:9195 -> 89.87.222.219:21603

Source: Joe Sandbox View

ASN Name: ASN-METANETRoutingpeeringissuesnocmetanetchCH ASN-METANETRoutingpeeringissuesnocmetanetchCH

Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FFE11505EEA recv,WSAGetLastError,

Source: global traffic	HTTP traffic detected: GET https://banana.incognet.io:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close
Source: global traffic	HTTP traffic detected: GET https://banana.incognet.io:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close
Source: global traffic	HTTP traffic detected: GET https://reseed.diva.exchange:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close

Source: global traffic	DNS traffic detected: DNS query: banana.incognet.io
Source: global traffic	DNS traffic detected: DNS query: reseed.diva.exchange

Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000003.2278107155.00000157C5E73000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2278195165.00000157C5E78000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	String found in binary or memory: http://127.0.0.1:8118
Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	String found in binary or memory: http://identiguy.i2p/hosts.txt
Source: main.exe, 00000020.00000003.2796330606.00000142D8DAB000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2796297665.00000142D8DD6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2796330606.00000142D8DA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3
Source: main.exe, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954930725.00000142D8DA8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr, 6rRRlGVV.23.dr	String found in binary or memory: http://reg.i2p/hosts.txt
Source: main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txt?~
Source: main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtei
Source: main.exe, 00000017.00000002.2668148330.00000157C5E3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtf?
Source: main.exe, 00000020.00000002.2954930725.00000142D8DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txty-
Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	String found in binary or memory: http://rus.i2p/hosts.txt
Source: main.exe, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr, 6rRRlGVV.23.dr	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt
Source: main.exe, 00000017.00000002.2668148330.00000157C5E3D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/
Source: main.exe, 00000017.00000002.2668148330.00000157C5E3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txti2p.su3/)
Source: main.exe, 00000017.00000002.2668148330.00000157C5E3D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://
Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	String found in binary or memory: http://stats.i2p/cgi-bin/newhosts.txt
Source: Amcache.hve.31.dr	String found in binary or memory: http://upx.sf.net
Source: main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	String found in binary or memory: https://banana.incognet.io/
Source: main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://banana.incognet.io/W
Source: main.exe, 00000017.00000002.2668284810.00000157C6271000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2292775303.00000157C6272000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2291390149.00000157C6272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://banana.incognet.io/i2pseeds.su3
Source: main.exe, 00000017.00000003.2291390149.00000157C6272000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2782368111.00000142D89FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://banana.incognet.io:443/i2pseeds.su3
Source: main.exe, 00000017.00000003.2291390149.00000157C6272000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://banana.incognet.io:443/i2pseeds.su3W
Source: main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	String found in binary or memory: https://i2p.ghativega.in/
Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	String found in binary or memory: https://i2p.mooo.com/netDb/
Source: main.exe, 00000020.00000002.2954829051.00000142D899E000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	String found in binary or memory: https://i2p.novg.net/
Source: main.exe, 00000017.00000002.2668148330.00000157C5E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i2p.novg.net/K
Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	String found in binary or memory: https://i2pd.readthedocs.io/en/latest/user-guide/configuration/
Source: main.exe, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2954930725.00000142D8D50000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	String found in binary or memory: https://i2pseed.creativecowpat.net:8443/
Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	String found in binary or memory: https://legit-website.com/i2pseeds.su3
Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	String found in binary or memory: https://netdb.i2p2.no/
Source: main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	String found in binary or memory: https://reseed-fr.i2pd.xyz/
Source: main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed-fr.i2pd.xyz/I
Source: main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	String found in binary or memory: https://reseed-pl.i2pd.xyz/
Source: main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed-pl.i2pd.xyz/3
Source: main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed-pl.i2pd.xyz/F
Source: main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	String found in binary or memory: https://reseed.diva.exchange/
Source: main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.diva.exchange/b.c
Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	String found in binary or memory: https://reseed.i2p-projekt.de/
Source: main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	String found in binary or memory: https://reseed.i2pgit.org/
Source: main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.i2pgit.org/6
Source: main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.i2pgit.org/L
Source: main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	String found in binary or memory: https://reseed.memcpy.io/
Source: main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.memcpy.io/%
Source: main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/O
Source: main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/w
Source: main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2954829051.00000142D899E000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	String found in binary or memory: https://reseed.stormycloud.org/
Source: main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.stormycloud.org/HWUm~GTa
Source: main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	String found in binary or memory: https://reseed2.i2p.net/
Source: main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/vp/p_lib.c
Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2668148330.00000157C5E68000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2669826636.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2668148330.00000157C5E3D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2954829051.00000142D899E000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	String found in binary or memory: https://www2.mk16.de/
Source: main.exe, 00000017.00000002.2668148330.00000157C5E68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.mk16.de/m

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe

Code function: 5_2_00007FF64B93929A inet_addr,ntohl,

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe

Code function: 5_2_00007FF64B93292E strlen,strcat,strlen,strlen,strlen,strcat,strlen,strlen,strlen,strcat,LogonUserA,GetLastError,CreateProcessAsUserA,GetLastError,CloseHandle,CreateProcessA,GetLastError,

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

File deleted: C:\Windows\Temp\t291wOio

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02734B56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02735B4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_027453FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0274702E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_027360DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0274D132
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02737F3A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02739D02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0273CDB2
Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe	Code function: 5_2_00007FF64B93E4E0
Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe	Code function: 5_2_00007FF64B93DE8A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF7C1AC1AB0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF7C1ABC440
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11510880
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE24D0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11ECEF60
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126ECB10
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1A4FEAA0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1A528F0E
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1A528FFC
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1A530480
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1A528CDB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1A528DC6
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE11780880

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll A62BDF318386AAAB93F1D25144CFBDC1A1125AAAD867EFC4E49FE79590181EBF
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll 51C131081921626D22FAF44977D5E4DCFE00E5D6CDDEDA877A82F13631BE7C2E

Source: C:\Windows\System32\icacls.exe

Process token adjusted: Security

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe	Code function: String function: 00007FF64B9314E2 appears 295 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FF7C1AB2EF2 appears 314 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11BDC852 appears 526 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE117740D2 appears 473 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11EC9DC2 appears 405 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE115040D2 appears 473 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE1A5277A2 appears 388 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE126E2072 appears 356 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE1A4F1352 appears 398 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 2656 -ip 2656

Source: evtsrv.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: w3LkirgH.23.dr	Static PE information: Number of sections : 11 > 10
Source: TsG1eHIt.23.dr	Static PE information: Number of sections : 11 > 10
Source: ogg99SMu.23.dr	Static PE information: Number of sections : 11 > 10
Source: dwlmgr.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: cnccli.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: 6rRRlGVV.23.dr	Static PE information: Number of sections : 11 > 10
Source: ROF9A37w.23.dr	Static PE information: Number of sections : 11 > 10
Source: t291wOio.23.dr	Static PE information: Number of sections : 11 > 10
Source: prgmgr.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: file.exe	Static PE information: Number of sections : 11 > 10
Source: libi2p.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: samctl.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: bMZx4vGr.23.dr	Static PE information: Number of sections : 11 > 10
Source: termsrv32.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: rdpctl.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: eKTTDy2k.23.dr	Static PE information: Number of sections : 11 > 10

Source: file.exe, 00000000.00000000.1706105306.00000000008B0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLAPLINK.EXE: vs file.exe
Source: file.exe, 00000000.00000002.1710097897.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs file.exe
Source: file.exe, 00000001.00000002.2954243691.0000000002758000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameLAPLINK.EXE: vs file.exe

Source: classification engine

Classification label: mal100.troj.evad.winEXE@45/68@2/27

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe

Code function: 5_2_00007FF64B93855D CreateToolhelp32Snapshot,Process32First,Process32Next,GetLastError,GetLastError,GetLastError,OpenProcess,QueryFullProcessImageNameW,GetLastError,CloseHandle,GetLastError,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe

Code function: 5_2_00007FF64B931A19 FindResourceA,LoadResource,GetLastError,GetLastError,GetLastError,GetLastError,

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF7C1AB1DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF7C1AB1DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe

File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess2656
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\7mmwpep245voy3fngkym99px3pj5vx36.bat

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7mmwpep245voy3fngkym99px3pj5vx36.bat"

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe

File read: C:\Users\user\AppData\Local\Temp\wfpblk.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7mmwpep245voy3fngkym99px3pj5vx36.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe "C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe "C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe"
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 2656 -ip 2656
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2656 -s 1188
Source: unknown	Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\7mmwpep245voy3fngkym99px3pj5vx36.bat"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe "C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe "C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 2656 -ip 2656
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2656 -s 1188
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: zlib1.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: zlib1.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samlib.dll

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe

File written: C:\Users\user\AppData\Local\Temp\wfpblk.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 5654528 > 1048576

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x43c600

Source:	Binary string: RfxVmt.pdb source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, Cw0MZxef.23.dr, rfxvmt.dll.23.dr
Source:	Binary string: RfxVmt.pdbGCTL source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, Cw0MZxef.23.dr, rfxvmt.dll.23.dr

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.2770000.1.unpack

Source: rfxvmt.dll.23.dr

Static PE information: 0xE004CD23 [Sat Feb 5 03:04:03 2089 UTC]

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe

Code function: 5_2_00007FF64B93FF1F GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

Source: file.exe	Static PE information: section name: .didata
Source: cwjk513wjc7a1mlgh3.exe.1.dr	Static PE information: section name: .xdata
Source: 73tsjpnle0jv48sgryqfs6ph8t.exe.1.dr	Static PE information: section name: .xdata
Source: main.exe.12.dr	Static PE information: section name: .xdata
Source: termsrv32.dll.23.dr	Static PE information: section name: .xdata
Source: rdpctl.dll.23.dr	Static PE information: section name: .xdata
Source: samctl.dll.23.dr	Static PE information: section name: .xdata
Source: prgmgr.dll.23.dr	Static PE information: section name: .xdata
Source: dwlmgr.dll.23.dr	Static PE information: section name: .xdata
Source: cnccli.dll.23.dr	Static PE information: section name: .xdata
Source: libi2p.dll.23.dr	Static PE information: section name: .xdata
Source: evtsrv.dll.23.dr	Static PE information: section name: .xdata
Source: ROF9A37w.23.dr	Static PE information: section name: .xdata
Source: w3LkirgH.23.dr	Static PE information: section name: .xdata
Source: eKTTDy2k.23.dr	Static PE information: section name: .xdata
Source: bMZx4vGr.23.dr	Static PE information: section name: .xdata
Source: ogg99SMu.23.dr	Static PE information: section name: .xdata
Source: t291wOio.23.dr	Static PE information: section name: .xdata
Source: 6rRRlGVV.23.dr	Static PE information: section name: .xdata
Source: TsG1eHIt.23.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0274F262 push es; retf
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0273120E pushfd ; retf
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02736769 push esi; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE7A07 push qword ptr [00007FFE47BE78D8h]; retf
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE79FF push qword ptr [00007FFE47BE78D0h]; retf
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE7A17 push qword ptr [00007FFE18BE78E8h]; retf
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE7A0F push qword ptr [00007FFE47BE78E0h]; retf
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE79CB push qword ptr [00007FFE47BE789Ch]; retf
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE79C3 push qword ptr [00007FFE47BE7894h]; retf
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE79D3 push qword ptr [00007FFE47BE78A4h]; retf
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE79E7 push qword ptr [00007FFE47BE78B8h]; retf
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE79F7 push qword ptr [00007FFE47BE78C8h]; retf
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE79EF push qword ptr [00007FFE47BE78C0h]; retf
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE79BB push qword ptr [00007FFE47BE788Ch]; retf
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE79B3 push qword ptr [00007FFE47BE7884h]; retf
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE72CC push rsp; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE72C4 push rsp; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE72DC push rsp; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE72D8 push rsp; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE72D4 push rsp; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE72D0 push rsp; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE72E8 push rsp; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE72E4 push rsp; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE72E0 push rsp; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE72BC push rsp; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE72B8 push rsp; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE727C push rsp; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BE726F push qword ptr [rsi]; ret
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11ED0052 push rsi; iretd

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FFE1150870B strlen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strlen,NetUserAdd,CreateProfile,

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ROF9A37w	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\TsG1eHIt	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\bMZx4vGr	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ogg99SMu	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\t291wOio	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\Cw0MZxef	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\eKTTDy2k	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\w3LkirgH	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\6rRRlGVV	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ROF9A37w	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\TsG1eHIt	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\bMZx4vGr	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ogg99SMu	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\t291wOio	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\Cw0MZxef	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\eKTTDy2k	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\w3LkirgH	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\6rRRlGVV	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ROF9A37w	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\Cw0MZxef	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\w3LkirgH	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\eKTTDy2k	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\bMZx4vGr	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ogg99SMu	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\t291wOio	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\6rRRlGVV	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\TsG1eHIt	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF7C1AB1DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe

Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 00000017.00000002.2670395714.00007FFE11514000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000017.00000002.2670395714.00007FFE11514000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000020.00000002.2955747278.00007FFE11784000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000020.00000002.2955747278.00007FFE11784000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe

Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy,

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4822
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5045
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6319
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3372
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7904
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1638

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\ROF9A37w	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\TsG1eHIt	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\bMZx4vGr	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\ogg99SMu	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\t291wOio	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\Cw0MZxef	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\eKTTDy2k	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\6rRRlGVV	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\w3LkirgH	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

API coverage: 8.0 %

Source: C:\Users\user\Desktop\file.exe TID: 7160	Thread sleep time: -35760000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5744	Thread sleep count: 4822 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4428	Thread sleep count: 5045 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2476	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5356	Thread sleep count: 6319 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4948	Thread sleep count: 3372 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6544	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1620	Thread sleep count: 7904 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2844	Thread sleep count: 1638 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6248	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 7116	Thread sleep count: 46 > 30

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe	Code function: 5_2_00007FF64B933DB3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF7C1AB47A3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1150A083 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BD1883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11EC5BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126E57B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1A4F5203 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1A522FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE1177A083 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 120000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.31.dr	Binary or memory string: VMware
Source: Amcache.hve.31.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.31.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.31.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.31.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.31.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.31.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.31.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.31.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.31.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.31.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.31.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2334937494.000002B8FC2D7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2277765517.00000157C4DCC000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2954686645.00000142D8248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: file.exe, 00000001.00000002.2953885741.0000000000B49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGG
Source: Amcache.hve.31.dr	Binary or memory string: vmci.sys
Source: main.exe, 00000017.00000002.2667296151.00000157C4DAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: Amcache.hve.31.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.31.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.31.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.31.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.31.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.31.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.31.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.31.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.31.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.31.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.31.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.31.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.31.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.31.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.31.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.31.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe

Code function: 5_2_00007FF64B93FF1F GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe

Code function: 5_2_00007FF64B938CFC FreeLibrary,strlen,GetProcessHeap,HeapAlloc,BuildTrusteeWithSidW,BuildSecurityDescriptorW,GetProcessHeap,HeapFree,LocalFree,

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe	Code function: 5_2_00007FF64B931131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,
Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe	Code function: 5_2_00007FF64B94B6A0 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe	Code function: 5_2_00007FF64B9405D9 SetUnhandledExceptionFilter,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF7C1AB1131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"

Modifies Windows Defender protection settings

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 444 -p 2656 -ip 2656
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2656 -s 1188

Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe

Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe

Code function: 5_2_00007FF64B936FD5 GetSystemTimeAsFileTime,

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FFE11506DA3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,

Source: C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: Amcache.hve.31.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.31.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.31.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: cwjk513wjc7a1mlgh3.exe, 00000005.00000002.1754874180.000002C49AA18000.00000004.00000020.00020000.00000000.sdmp, Amcache.hve.31.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE115058DA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11BDAEAA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11EC1F9A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126E28BA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126FB820 listen,htons,recv,select,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126FB7E8 bind,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1A4F418A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1A5215FA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 32_2_00007FFE117758DA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	1 Network Sniffing	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	2 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Create Account	2 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Service Execution	2 Valid Accounts	4 Windows Service	1 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	4 Windows Service	11 Process Injection	1 Timestomp	LSA Secrets	1 Network Sniffing	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Services File Permissions Weakness	1 Services File Permissions Weakness	1 DLL Side-Loading	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	1 Proxy	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Network Share Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Masquerading	Proc Filesystem	131 Security Software Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Valid Accounts	/etc/passwd and /etc/shadow	31 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Access Token Manipulation	Network Sniffing	2 Process Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	31 Virtualization/Sandbox Evasion	Input Capture	1 Application Window Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	11 Process Injection	Keylogging	1 System Owner/User Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Hidden Users	GUI Input Capture	1 System Network Configuration Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Services File Permissions Weakness	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	100%	Joe Sandbox ML
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	75%	ReversingLabs	Win64.Trojan.Barys
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe	42%	ReversingLabs	Win64.Trojan.Barys
C:\Users\user\AppData\Local\Temp\cwjk513wjc7a1mlgh3.exe	3%	ReversingLabs
C:\Windows\Temp\6rRRlGVV	0%	ReversingLabs
C:\Windows\Temp\Cw0MZxef	0%	ReversingLabs
C:\Windows\Temp\ROF9A37w	0%	ReversingLabs
C:\Windows\Temp\TsG1eHIt	0%	ReversingLabs
C:\Windows\Temp\bMZx4vGr	0%	ReversingLabs
C:\Windows\Temp\eKTTDy2k	0%	ReversingLabs
C:\Windows\Temp\ogg99SMu	0%	ReversingLabs
C:\Windows\Temp\t291wOio	0%	ReversingLabs
C:\Windows\Temp\w3LkirgH	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
banana.incognet.io	23.137.250.108	true	true		unknown
reseed.diva.exchange	80.74.145.70	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reseed.diva.exchange/b.c	main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://i2pseed.creativecowpat.net:8443/	main.exe, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2954930725.00000142D8D50000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	true		unknown
https://i2p.novg.net/K	main.exe, 00000017.00000002.2668148330.00000157C5E68000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://kopanyoc2lnsx5qwpslkik4uccej6zqna7qq2igbofhmb2qxwflwfqad.onion/i2pseeds.su3	main.exe, 00000020.00000003.2796330606.00000142D8DAB000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2796297665.00000142D8DD6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2796330606.00000142D8DA2000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://reseed.memcpy.io/	main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	true		unknown
https://reseed.i2pgit.org/	main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	true		unknown
https://reseed-fr.i2pd.xyz/I	main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reseed-pl.i2pd.xyz/	main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	true		unknown
http://stats.i2p/cgi-bin/newhosts.txt	73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	false		unknown
http://127.0.0.1:8118	73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000003.2278107155.00000157C5E73000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2278195165.00000157C5E78000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	false		unknown
https://banana.incognet.io:443/i2pseeds.su3W	main.exe, 00000017.00000003.2291390149.00000157C6272000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reseed.onion.im/	main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	true		unknown
https://banana.incognet.io/W	main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://i2p.mooo.com/netDb/	73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	false		unknown
https://reseed2.i2p.net/	main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	true		unknown
http://reg.i2p/hosts.txty-	main.exe, 00000020.00000002.2954930725.00000142D8DA8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://banana.incognet.io/	main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	true		unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt	main.exe, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr, 6rRRlGVV.23.dr	false		unknown
https://www2.mk16.de/m	main.exe, 00000017.00000002.2668148330.00000157C5E68000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reseed-fr.i2pd.xyz/	main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	true		unknown
https://reseed.i2pgit.org/L	main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reseed.onion.im/O	main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	true		unknown
https://reseed.i2p-projekt.de/	73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	false		unknown
https://i2p.novg.net/	main.exe, 00000020.00000002.2954829051.00000142D899E000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	true		unknown
https://reseed-pl.i2pd.xyz/3	main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txti2p.su3/)	main.exe, 00000017.00000002.2668148330.00000157C5E3D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://netdb.i2p2.no/	73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	false		unknown
https://i2p.ghativega.in/	main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	true		unknown
https://reseed.i2pgit.org/6	main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.31.dr	false	URL Reputation: safe	unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/	main.exe, 00000017.00000002.2668148330.00000157C5E3D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www2.mk16.de/	73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2668148330.00000157C5E68000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2669826636.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2668148330.00000157C5E3D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2954829051.00000142D899E000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	true		unknown
http://reg.i2p/hosts.txt	main.exe, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954930725.00000142D8DA8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr, 6rRRlGVV.23.dr	false		unknown
https://reseed.stormycloud.org/HWUm~GTa	main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://banana.incognet.io/i2pseeds.su3	main.exe, 00000017.00000002.2668284810.00000157C6271000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2292775303.00000157C6272000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2291390149.00000157C6272000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reseed-pl.i2pd.xyz/F	main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reseed.memcpy.io/%	main.exe, 00000017.00000002.2668148330.00000157C5EC7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reseed.onion.im/w	main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://identiguy.i2p/hosts.txt	73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	false		unknown
http://reg.i2p/hosts.txtf?	main.exe, 00000017.00000002.2668148330.00000157C5E3D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://reg.i2p/hosts.txtei	main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reseed.diva.exchange/	main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	true		unknown
https://reseed2.i2p.net/vp/p_lib.c	main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://legit-website.com/i2pseeds.su3	73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	false		unknown
http://reg.i2p/hosts.txt?~	main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://i2pd.readthedocs.io/en/latest/user-guide/configuration/	73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	false		unknown
https://banana.incognet.io:443/i2pseeds.su3	main.exe, 00000017.00000003.2291390149.00000157C6272000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000003.2782368111.00000142D89FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reseed.stormycloud.org/	main.exe, main.exe, 00000020.00000003.2782395094.00000142D89D6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2955509001.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2954829051.00000142D899E000.00000004.00000020.00020000.00000000.sdmp, 6rRRlGVV.23.dr	true		unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://	main.exe, 00000017.00000002.2668148330.00000157C5E3D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000020.00000002.2954829051.00000142D893D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://rus.i2p/hosts.txt	73tsjpnle0jv48sgryqfs6ph8t.exe, 0000000C.00000002.2335094214.00007FF71096E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2667528245.00000157C5A0F000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, 2L2zlVsY.23.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
80.74.145.70	reseed.diva.exchange	Switzerland	21069	ASN-METANETRoutingpeeringissuesnocmetanetchCH	true
2.178.241.192	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	false
45.126.126.80	unknown	Australia	64022	KAMATERAINC-AS-APKamateraIncHK	false
146.70.24.213	unknown	United Kingdom	2018	TENET-1ZA	false
85.236.190.252	unknown	Russian Federation	35032	TAHIONISP-ASRU	false
23.137.249.66	unknown	Reserved	397614	GTLAKESUS	false
95.68.156.35	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
89.87.222.219	unknown	France	5410	BOUYGTEL-ISPFR	false
23.137.250.108	banana.incognet.io	Reserved	397614	GTLAKESUS	true
91.149.236.241	unknown	Poland	41952	MARTON-ASPL	false
2.191.228.230	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	false
62.210.85.80	unknown	France	12876	OnlineSASFR	false
124.169.148.215	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	false
151.242.80.51	unknown	Iran (ISLAMIC Republic Of)	31549	RASANAIR	false
82.38.134.93	unknown	United Kingdom	5089	NTLGB	false
217.255.81.237	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	true
173.68.123.78	unknown	United States	701	UUNETUS	true
83.255.145.146	unknown	Sweden	39651	COMHEM-SWEDENSE	false
45.30.192.252	unknown	United States	7018	ATT-INTERNET4US	false
173.47.97.119	unknown	United States	26788	ROGERS-COMMUNICATIONSCA	false
23.128.248.23	unknown	Reserved	397120	CHEMUNGCONYUS	true
77.54.240.255	unknown	Portugal	12353	VODAFONE-PTVodafonePortugalPT	true
87.225.96.167	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
80.46.94.241	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	false
50.100.197.208	unknown	Canada	603	BACOM2-ASCA	false
99.174.64.226	unknown	United States	7018	ATT-INTERNET4US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1531723
Start date and time:	2024-10-11 16:52:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 22s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@45/68@2/27
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 73tsjpnle0jv48sgryqfs6ph8t.exe, PID 6248 because it is empty
Execution Graph export aborted for target file.exe, PID 7096 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtCreateKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
10:53:08	API Interceptor	298x Sleep call for process: file.exe modified
10:53:09	API Interceptor	39x Sleep call for process: powershell.exe modified
10:54:35	API Interceptor	40x Sleep call for process: main.exe modified
10:54:40	API Interceptor	1x Sleep call for process: WerFault.exe modified

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9805730517966776
Encrypted:	false
SSDEEP:	96:V4wFgDac6OsehMX7q9fwQXIDcQic6EcERcw3W3d+HbHg/opAnQzOqg7ThVMkQBr6:Pa2c6O/d0MALS36jV7EzuiFXZ24lO8l
MD5:	BF30ED6D98526E033653DAA37E8B2BBC
SHA1:	30CB07EAE72BF1B4A12AA4657E0A1D2524F48035
SHA-256:	656CE38AA916CC503773E87FF22DFA565D6A0058323AFA7A9DE92F4E55445CA5
SHA-512:	8E5EA50AC5A800748B20E11713BF1F3D73C78C2E0BE49B95B8707C68D5B1FD6B8F143347964A2CF8AAC2F6A5BA63A33A2C8CAFDD308B9A0DA780D71725286B63
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.1.3.2.0.7.1.9.4.1.4.7.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.1.3.2.0.7.2.4.7.2.7.1.7.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.1.d.6.b.4.d.-.0.5.a.1.-.4.3.8.2.-.b.a.b.e.-.9.0.f.a.5.5.8.e.a.3.9.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.6.b.f.9.7.d.8.-.a.5.8.8.-.4.a.4.a.-.8.6.a.0.-.c.d.b.d.d.a.7.3.5.4.a.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.a.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.6.0.-.0.0.0.0.-.0.0.1.4.-.d.b.5.6.-.d.b.6.7.e.d.1.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.1.8.d.4.3.1.0.6.5.7.e.8.3.6.8.5.5.7.f.1.8.3.e.1.5.c.4.7.c.d.0.0.0.0.f.f.f.f.!.0.0.0.0.a.5.a.c.f.e.6.3.9.7.d.f.f.c.6.1.d.2.4.3.2.0.6.8.8.5.c.3.8.9.e.a.0.5.4.2.8.7.5.5.!.m.a.i.n...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.0././.0.1././.0.1.:.0.0.:.0.0.:.0.0.!.1.d.

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	78902
Entropy (8bit):	3.0940774677149414
Encrypted:	false
SSDEEP:	1536:J4K5VtjFIZ0cM7x4rlSVgZwb0s0QnaLI+wM:J4K5VtjFIZ0cM7x4rlSVgZwb0s0QnQIW
MD5:	CE8315AA6AA5C5687472EA302DB22AF6
SHA1:	17F53B5DACA9E46454AD3B3AE23B131850BDFFE4
SHA-256:	AFDFE71EC441C20D333DCC634713A1C3823B6A6921A22000AA12121D9D14AF93
SHA-512:	3A3181617E45FF900B4AB1195443BA0426B55204DF5F444C9C48849FD69877CC8970B3AB2D48BC2D0A02070673A70A47C2E532384A91B33080467BF5B473DFB4
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	10639360
Entropy (8bit):	7.4147455331909855
Encrypted:	false
SSDEEP:	196608:PE1LTxbO313norADHLHhHiVulZ/KHNV4G:PyxbOFC8b/KtV4
MD5:	7D1755E8E41A6C2F08D2FAEFFDF9DAD1
SHA1:	C04D89F1054F2EE34B548126A5ADD4EEE4751AE4
SHA-256:	44CF4321C138C4CACECC95DEBA735F508C96049E7F0E8F0538684DC4F0C1E9A5
SHA-512:	B099238838B0D8B258529126B3C279AC735FEFF778D52C3117EB3CD587267A145A09BC1317FB412B2C810EA8B2232A8218FE459E33AC99F9B48DECFDC62E4816
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.....T.................@...................................a.....`... ..............................................................@..d...........................................`/..(....................................................text...(...........................`..`.data.............................@....rdata...^......`.................@..@.pdata..d....@.......(..............@..@.xdata.......P.......2..............@..@.bss....p....`...........................idata...............<..............@....CRT....`............R..............@....tls.................T..............@....reloc...............V..............@..B................................................................................................................................................................................................................

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.026200028456233
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	file.exe
File size:	5'654'528 bytes
MD5:	31d649663149dabd99c51b71e60a4a91
SHA1:	f5f515e1818388c9360bde15a7dfcb265e86a812
SHA256:	2acb9052db5b304a822f8cd1169e31327e967e06ff78064997ea8a5003e783ec
SHA512:	9cd1b7f923f37a620074c2c8dfb79558429e53a6b789ab58917889404dcad505b102a784946dbd9b0bc85ab4eb751af8c33e0c0480bb21619e5d38bef668cc63
SSDEEP:	49152:eDShb1KwGF4Ilow5sADndfK0IptgSoP6MRM2BTXwmlPJmqHc4a/:LQK0/lX9PJhHc
TLSH:	34463A3F72A4C269C15EC17FC1A7CF40E533B9795B33C6E742A106689A168C75EBE620
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7.......................................................................................................................................

Entrypoint:	0x83d530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x67040F91 [Mon Oct 7 16:42:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	bf7e94a88b651f53cc57bdb23fcd2c2f

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4ae000	0x97	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4a8000	0x48de	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52a000	0x4b400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4eb000	0x3e9c4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b1000	0x39178	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4b0000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4a92c0	0x1130	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4ad000	0xe3c	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x43c5c0	0x43c600	4dc050f2b4f53a64168d2d2b3bb04cf6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x43e000	0x5ee38	0x5f000	c96c0455df11a9306f23138f836838b1	False	0.22957699424342104	data	4.71291425546474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x49d000	0xaab4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x4a8000	0x48de	0x4a00	586f243f7059a7c5e3cc1599e712e400	False	0.24266258445945946	data	4.353393974383116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x4ad000	0xe3c	0x1000	cffac5f732be0532b2a4d072e873b001	False	0.2392578125	data	3.075608222202654	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x4ae000	0x97	0x200	32e00411291ba873b0de75e561276889	False	0.251953125	data	1.8329856927687613	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x4af000	0x1e4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4b0000	0x6d	0x200	cb0aedb4d69d2e7d3f915611730f186c	False	0.1953125	data	1.375717479766274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4b1000	0x39178	0x39200	3895bdffdd7a3e7f1d857eb7488e8413	False	0.469976579595186	data	6.475527769134284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.pdata	0x4eb000	0x3e9c4	0x3ea00	6086c296052ff020a33a7ba75c81e109	False	0.491813248502994	data	6.369980557431763	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52a000	0x4b400	0x4b400	7cd7c843107b0c985a216d5520dc5729	False	0.5633175872093024	data	6.403199046558459	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x52aca8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x52addc	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x52af10	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x52b044	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x52b178	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x52b2ac	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x52b3e0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_ICON	0x52b514	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688			0.4147121535181237
RT_ICON	0x52c3bc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152			0.476985559566787
RT_ICON	0x52cc64	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320			0.48554913294797686
RT_ICON	0x52d1cc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.5167012448132781
RT_ICON	0x52f774	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.5719981238273921
RT_ICON	0x53081c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.7109929078014184
RT_STRING	0x530c84	0x8b0	data			0.2648381294964029
RT_STRING	0x531534	0x2e4	data			0.4540540540540541
RT_STRING	0x531818	0x2a4	data			0.4896449704142012
RT_STRING	0x531abc	0x200	data			0.53125
RT_STRING	0x531cbc	0x1f0	data			0.5
RT_STRING	0x531eac	0x378	data			0.43243243243243246
RT_STRING	0x532224	0x390	data			0.39144736842105265
RT_STRING	0x5325b4	0x2f0	data			0.4242021276595745
RT_STRING	0x5328a4	0x488	data			0.3905172413793103
RT_STRING	0x532d2c	0x4e4	data			0.39217252396166136
RT_STRING	0x533210	0x3a4	data			0.4034334763948498
RT_STRING	0x5335b4	0x34c	data			0.40165876777251186
RT_STRING	0x533900	0x390	data			0.3355263157894737
RT_STRING	0x533c90	0x3e0	data			0.43850806451612906
RT_STRING	0x534070	0x38c	data			0.31167400881057267
RT_STRING	0x5343fc	0x3e0	data			0.42439516129032256
RT_STRING	0x5347dc	0x184	data			0.5412371134020618
RT_STRING	0x534960	0xd4	data			0.660377358490566
RT_STRING	0x534a34	0x214	data			0.5
RT_STRING	0x534c48	0x3c8	data			0.3822314049586777
RT_STRING	0x535010	0x3f4	data			0.391304347826087
RT_STRING	0x535404	0x47c	data			0.3423344947735192
RT_STRING	0x535880	0x28c	data			0.34662576687116564
RT_STRING	0x535b0c	0x454	data			0.41064981949458484
RT_STRING	0x535f60	0x4b4	data			0.3953488372093023
RT_STRING	0x536414	0x4cc	data			0.34446254071661236
RT_STRING	0x5368e0	0x3b0	data			0.3792372881355932
RT_STRING	0x536c90	0x3d8	data			0.34146341463414637
RT_STRING	0x537068	0x35c	data			0.37906976744186044
RT_STRING	0x5373c4	0xd0	data			0.5721153846153846
RT_STRING	0x537494	0xa0	data			0.65
RT_STRING	0x537534	0x394	data			0.4268558951965066
RT_STRING	0x5378c8	0x434	data			0.3308550185873606
RT_STRING	0x537cfc	0x390	data			0.37609649122807015
RT_STRING	0x53808c	0x2dc	data			0.38114754098360654
RT_STRING	0x538368	0x34c	data			0.3246445497630332
RT_RCDATA	0x5386b4	0x10	data			1.5
RT_RCDATA	0x5386c4	0x3bbb7	data	English	United States	0.6175269656629732
RT_RCDATA	0x57427c	0xb78	data			0.4778610354223433
RT_RCDATA	0x574df4	0x151	Delphi compiled form 'TForm1'			0.7210682492581603
RT_GROUP_CURSOR	0x574f48	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x574f5c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x574f70	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x574f84	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x574f98	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x574fac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x574fc0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x574fd4	0x5a	data			0.7
RT_VERSION	0x575030	0x368	data	English	United States	0.44954128440366975

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwindEx, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongPtrW, GetClassLongPtrW, SetWindowLongPtrW, GetWindowLongPtrW, CreateWindowExW, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, InsertMenuItemW, InsertMenuW, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateAcceleratorTableW, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, IsDebuggerPresent, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, LCMapStringW, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, FindFirstFileW, FindClose, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileW, CreateEventW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
kernel32.dll	Sleep
oleaut32.dll	SafeArrayGetElemsize, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
shell32.dll	Shell_NotifyIconW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4991b0
__dbk_fcall_wrapper	2	0x417300
dbkFCallWrapperAddr	1	0x8a1f58

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 11, 2024 16:53:05.863054991 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:05.868313074 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:05.868416071 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:05.869153976 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:05.874092102 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:06.696666956 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:06.697221041 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:06.697329044 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:08.704670906 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:08.709882021 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:08.709980965 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:08.715009928 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:08.867379904 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:08.914247036 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:08.942254066 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:08.954762936 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:08.959743977 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:08.959845066 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:08.964899063 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.070842981 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.117343903 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.204994917 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.205296040 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.210371971 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.210431099 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.215917110 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.216562033 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.221422911 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.221487999 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.226387024 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.336935043 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.342206001 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.342300892 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.347101927 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.462908983 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.463041067 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.463102102 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.463099957 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.463113070 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.463129044 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.463186026 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.463207006 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.463217020 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.463227034 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.463253975 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.463277102 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.463897943 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.463933945 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.463979006 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.464067936 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.464138985 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.464148998 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.464186907 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.464549065 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.464565992 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.464605093 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.465210915 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.465254068 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.467910051 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.508002996 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.554255962 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.554291964 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.554302931 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.554307938 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.554313898 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.554325104 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.554392099 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.554392099 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.554445028 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.554461956 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.554478884 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.554488897 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.554498911 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.554502010 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.554511070 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.554526091 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.554554939 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.555361986 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.555372000 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.555394888 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.555403948 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.555416107 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.555421114 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.555428028 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.555444956 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.555465937 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.556289911 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.556338072 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.556379080 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.556468964 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.556478977 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.556488037 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.556519032 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.556855917 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.556866884 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.556876898 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:09.556895018 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:09.556916952 CEST	49730	1125	192.168.2.4	146.70.24.213
Oct 11, 2024 16:53:10.036329985 CEST	1125	49730	146.70.24.213	192.168.2.4
Oct 11, 2024 16:53:10.036353111 CEST	1125	49730	146.70.24.213	192.168.2.4

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 11, 2024 16:54:03.003743887 CEST	192.168.2.4	1.1.1.1	0xf383	Standard query (0)	banana.incognet.io	A (IP address)	IN (0x0001)	false
Oct 11, 2024 16:54:53.298024893 CEST	192.168.2.4	1.1.1.1	0xd5be	Standard query (0)	reseed.diva.exchange	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 11, 2024 16:54:03.016427040 CEST	1.1.1.1	192.168.2.4	0xf383	No error (0)	banana.incognet.io		23.137.250.108	A (IP address)	IN (0x0001)	false
Oct 11, 2024 16:54:53.455132008 CEST	1.1.1.1	192.168.2.4	0xd5be	No error (0)	reseed.diva.exchange		80.74.145.70	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:53:04
Start date:	11/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	5'654'528 bytes
MD5 hash:	31D649663149DABD99C51B71E60A4A91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	10:53:11
Start date:	11/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Imagebase:	0x7ff7699e0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	10:53:13
Start date:	11/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	10:53:56
Start date:	11/10/2024
Path:	C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\73tsjpnle0jv48sgryqfs6ph8t.exe"
Imagebase:	0x7ff70f330000
File size:	10'639'360 bytes
MD5 hash:	7D1755E8E41A6C2F08D2FAEFFDF9DAD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	13
Start time:	10:53:59
Start date:	11/10/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill.exe /F /FI "SERVICES eq RDP-Controller"
Imagebase:	0x7ff7b25f0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	22
Start time:	10:54:00
Start date:	11/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_381d6b4d-05a1-4382-babe-90fa558ea39b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF885.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9CE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9EE.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9FC.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA3B.tmp.txt

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.su3

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\n53qvwtup4waekyrakvw2svm247ujbkgfwsr6blnwpantzo5nz2a.dat

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\wz7qkrnzqpr2zyylfckxtaxrsqsblspad7pbqa3ee5qc7klzdqfq.dat

Windows Analysis Report
file.exe

Target ID:	25
Start time:	10:54:01
Start date:	11/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	29
Start time:	10:54:31
Start date:	11/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	32
Start time:	10:54:51
Start date:	11/10/2024
Path:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Imagebase:	0x7ff7c1ab0000
File size:	89'088 bytes
MD5 hash:	4E320E2F46342D6D4657D2ADBF1F22D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre